Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is our Splunk LDAP / Active Directory authentication not showing security groups?

dpratt9
New Member
‎09-03-2015 08:49 AM

We've inherited a Splunk deployment that is authenticating against Active Directory with LDAP.

We can see users and distribution groups from AD, but not security groups.

Can you help point me in the right direction for why we cannot see security groups for managing access to our Splunk deployment?

[DOMAIN - ActiveDirectory]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = <redacted>
bindDNpassword = 
charset = utf8
dynamicMemberAttribute = member
emailAttribute = mail
groupBaseDN = <redacted>
groupBaseFilter = (objectclass=group)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = myserver.mydomain
nestedGroups = 1
network_timeout = 20
port = 666
realNameAttribute = displayname
sizelimit = 980
timelimit = 15
userBaseDN = <redacted>
userNameAttribute = samaccountname
0 Karma
Reply

doksu
Contributor
‎09-06-2015 03:48 PM

Turning on debug level logging may help:

Setting > Server settings > Server logging > ScopedLDAPConnection > DEBUG
Setting > Server settings > Server logging > AuthenticationManagerLDAP > DEBUG

We had a similar issue and discovered that the LDAP query Splunk runs always has the filter: (displayname=*), so if an object doesn't have its display name populated, Splunk won't "see" the object.

0 Karma
Reply

dpratt9
New Member
‎09-08-2015 01:58 PM

So far we've been unable to see a (displayname=*) filter present in our LDAP queries when debugging. However, we did notice that our LDAP query is only displaying 2,000 (of 2,613) groups even after increasing our LDAP query limits on the Splunk side.

Continuing to dig...

0 Karma
Reply

teunlaan
Contributor
‎09-04-2015 12:42 AM

Keep in mind Splunk only displays groups when the are Users in that group.

0 Karma
Reply

dpratt9
New Member
‎09-04-2015 07:56 AM

ahhh.... good point. Currently, the security group is populated with six users. We don't have a userBaseFilter set, is there anything else that could be masking the users on the Splunk side and preventing the group from being visible?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...