Solved: Re: Why are we unable to retrieve the list of all ...

jpetrakovic · ‎03-20-2019

I was looking at my list of users and noticed that there are quite a few users missing that should be there. We are using LDAP authentication. I checked both Access Controls >> Users and ran rest /services/authentication/users splunk_server=local, I got the same partial list each time.

Currently I'm running 7.1.3, but I had the same problem on older versions as well.

I saw a few posts referencing that the user may need to log in first before they appear in the list; I can confirm that some users that have recently logged into Splunk are not visible. One of the accounts is my test account that I use frequently in Splunk.

I turned on debug logging for AuthenticationManagerLDAP and I see entries like this for every user that has Splunk access, including my test account and others that do not appear in the users list:

DEBUG AuthenticationManagerLDAP - Listing cached user="username"

I don't see any other errors that might indicate an issue - has anyone run into this problem before?

jpetrakovic · ‎04-05-2019

Support was able to figure out this problem, so I figured I would post their fix in case it helps anyone else.

Apparently this was caused by functionality difference between an older version of Splunk and Splunk 7.2 (although I had this problem before 7.2).

In the authorize.conf under my admin role stanza, I had the following two settings:
edit_roles_grantable = enabled
grantableRoles = system_admin

These lines used to be required, but now they're not. I removed these lines from authorize.conf, rebooted the search head, and all was well.

View solution in original post

jpetrakovic · ‎04-05-2019

Support was able to figure out this problem, so I figured I would post their fix in case it helps anyone else.

Apparently this was caused by functionality difference between an older version of Splunk and Splunk 7.2 (although I had this problem before 7.2).

In the authorize.conf under my admin role stanza, I had the following two settings:
edit_roles_grantable = enabled
grantableRoles = system_admin

These lines used to be required, but now they're not. I removed these lines from authorize.conf, rebooted the search head, and all was well.

VexenCrabtree · ‎04-05-2019

Perhaps it was the search head reboot that really fixed the issue, though...

jpetrakovic · ‎04-05-2019

Very unlikely as the search head is rebooted regularly for various reasons.

VexenCrabtree · ‎04-05-2019

Perhaps it was the search head reboot that really fixed the issue, though...

MuS · ‎03-25-2019

There are two limits that you could hit here, one being Splunk with the default limit in authentication.conf being set to 1000:

sizelimit = <integer>
* OPTIONAL
* Limits the amount of entries we request in LDAP search
* IMPORTANT: The max entries returned is still subject to the maximum
  imposed by your LDAP server
  * Example: If you set this to 5000 and the server limits it to 1000,
             you'll still only get 1000 entries back
* Defaults to 1000

Which is the same as the default size limit in AD
https://support.microsoft.com/en-nz/help/315071/how-to-view-and-set-ldap-policy-in-active-directory-...

Maybe this helps to find the cause for this.

cheers, MuS

bjarnedein · ‎03-23-2020

When sizelimit is set to 10000, and we still only can get 1000 rows out of: | rest services/admin/LDAP-groups using SPL, and ldapsearch can easily provide the 10000.

What is then wrong?

We running v7.1.3

harsmarvania57 · ‎03-20-2019

Have you mapped those missing users into LDAP group in LDAP and mapped that LDAP group with role(s) in Splunk ?

jpetrakovic · ‎03-20-2019

Yes, I have. The users can sign into Splunk using their AD credentials and have the permissions granted by their assigned roles. I can even see the users' DNs when looking at the groups in "Map Roles."

adonio · ‎03-23-2019

how many splunk instances are connected to LDAP?

jpetrakovic · ‎03-25-2019

3 - our indexer, search head, and deployment server. I should have added this in the original description, we have a distributed, non-clustered environment if that makes a difference. I only see this issue on the search head, which is where 95% of my users are logging onto, so it has a lot more role mappings via LDAP than the other instances.

anthonymelita · ‎03-25-2019

Interested to see what the answer ends up being. I'm having a very similar but larger issue. I tried granting extra permissions and even mapping a new group to a new role and the users seem to be stuck with only their original limited access. One of the users I deleted their profile folder from $SPLUNK_HOME/etc/users and it was re-created the next time they logged in, but they did not appear in the Users list (through UI or |rest search) nor did their role get updated.

In my case it's on a search head cluster.

jpetrakovic · ‎03-26-2019

I just opened a support ticket. After tweaking some of the LDAP settings, I started to receive size limit errors, so I figured I needed more restrictive query settings. However, after filtering the search down to the point where it should just return 6 users (which it did in a normal ldap search), I still received the size limit errors. I'll let you know what support comes back with!

For your issue, is your new group in an OU that Splunk is configured to look at? Maybe check your group base DN if you haven't already?

Why are we unable to retrieve the list of all LDAP users?

LDAP

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes