Security

Why do I see "Invalid credentials" while creating ldap strategy with "ssl start_tls" config?

Splunk Employee
Splunk Employee

If I add strategy in authentication.conf manually and edit ldap.conf

authentication.conf 
[test_ldap]
SSLEnabled = 1
host = ldap.myldap.com
port = 636
anonymous_referrals = 1
bindDN = xxxx
bindDNpassword = xxxx
emailAttribute = mail
groupBaseDN = xxxx
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
nestedGroups = 0
network_timeout = 20
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = dc=xxxx
userNameAttribute = uid

ldap.conf
ssl start_tls
TLS_REQCERT never
TLS_CERT <SPLUNKHOME>/auth/mycert.pem
TLS_KEY <SPLUNKHOME>auth/myprivatekey.pem
0 Karma

Splunk Employee
Splunk Employee

The reason for failure is that TLS_CERT and TLS_KEY are user-only options according to man page for LDAP.CONF(5).

TLS_CERT
Specifies the file that contains the client certificate. This is a user-only option.

TLS_KEY
Specifies the file that contains the private key that matches the certificate stored in the TLS_CERT file. Currently, the private key must not be pro‐
tected with a password, so it is of critical importance that the key file is protected carefully. This is a user-only option.

All user-only options must be in .ldaprc or ldaprc file not ldap.conf. Location for .ldaprc/ldaprc is under user's home directory and not under splunk install directory.

user files $HOME/ldaprc, $HOME/.ldaprc

0 Karma