I was looking at my list of users and noticed that there are quite a few users missing that should be there. We are using LDAP authentication. I checked both Access Controls >> Users and ran
rest /services/authentication/users splunk_server=local, I got the same partial list each time.
Currently I'm running 7.1.3, but I had the same problem on older versions as well.
I saw a few posts referencing that the user may need to log in first before they appear in the list; I can confirm that some users that have recently logged into Splunk are not visible. One of the accounts is my test account that I use frequently in Splunk.
I turned on debug logging for AuthenticationManagerLDAP and I see entries like this for every user that has Splunk access, including my test account and others that do not appear in the users list:
DEBUG AuthenticationManagerLDAP - Listing cached user="username"
I don't see any other errors that might indicate an issue - has anyone run into this problem before?
Have you mapped those missing users into LDAP group in LDAP and mapped that LDAP group with role(s) in Splunk ?
Yes, I have. The users can sign into Splunk using their AD credentials and have the permissions granted by their assigned roles. I can even see the users' DNs when looking at the groups in "Map Roles."
3 - our indexer, search head, and deployment server. I should have added this in the original description, we have a distributed, non-clustered environment if that makes a difference. I only see this issue on the search head, which is where 95% of my users are logging onto, so it has a lot more role mappings via LDAP than the other instances.
Interested to see what the answer ends up being. I'm having a very similar but larger issue. I tried granting extra permissions and even mapping a new group to a new role and the users seem to be stuck with only their original limited access. One of the users I deleted their profile folder from $SPLUNK_HOME/etc/users and it was re-created the next time they logged in, but they did not appear in the Users list (through UI or |rest search) nor did their role get updated.
In my case it's on a search head cluster.
I just opened a support ticket. After tweaking some of the LDAP settings, I started to receive size limit errors, so I figured I needed more restrictive query settings. However, after filtering the search down to the point where it should just return 6 users (which it did in a normal ldap search), I still received the size limit errors. I'll let you know what support comes back with!
For your issue, is your new group in an OU that Splunk is configured to look at? Maybe check your group base DN if you haven't already?
There are two limits that you could hit here, one being Splunk with the default limit in
authentication.conf being set to 1000:
sizelimit = <integer> * OPTIONAL * Limits the amount of entries we request in LDAP search * IMPORTANT: The max entries returned is still subject to the maximum imposed by your LDAP server * Example: If you set this to 5000 and the server limits it to 1000, you'll still only get 1000 entries back * Defaults to 1000
Which is the same as the default size limit in AD
Maybe this helps to find the cause for this.
When sizelimit is set to 10000, and we still only can get 1000 rows out of: | rest services/admin/LDAP-groups using SPL, and ldapsearch can easily provide the 10000.
What is then wrong?
We running v7.1.3
Support was able to figure out this problem, so I figured I would post their fix in case it helps anyone else.
Apparently this was caused by functionality difference between an older version of Splunk and Splunk 7.2 (although I had this problem before 7.2).
In the authorize.conf under my admin role stanza, I had the following two settings:
editrolesgrantable = enabled
grantableRoles = system_admin
These lines used to be required, but now they're not. I removed these lines from authorize.conf, rebooted the search head, and all was well.