- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- how to bind to AD using MSAs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
im having a bit of trouble binding to our domain using LDAP. we have used managed service accounts (MSAs) according to the splunk deployment guide, however the LDAP authentication doesn't appear to work using that same account. i was trying to bind with the MSA's DN, but that doesnt appear to do it. however, binding with my admin account ("andrew-admin") does work.
so my question is:
do we have to have a separate account just for binding from the search head and authenticating end-users? or can we use the MSA? and if so, what parameters does a typical AD server use?
here's what i see:
01-18-2013 11:13:40.456 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users
01-18-2013 11:14:01.878 +1100 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="andrew-admin" from strategy="my.domain"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Initializing with LDAPURL="ldaps://ldap-server:636"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting bind as DN="CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Bind successful
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting to search subtree at DN="DC=my,DC=domain" using filter="(&(samaccountname=andrew-admin)(objectclass=person)(cn=*))"
01-18-2013 11:14:01.893 +1100 WARN ScopedLDAPConnection - strategy="my.domain" LDAP Server returned warning in search for DN="DC=my,DC=domain". reason="Operations error"
01-18-2013 11:14:01.893 +1100 ERROR AuthenticationManagerLDAP - Could not find user="andrew-admin" with strategy="my.domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Successfully performed unbind
01-18-2013 11:14:01.893 +1100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="andrew-admin" on any configured servers
01-18-2013 11:14:10.753 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users
and here's what i've got configured in authentication.conf:
[my.domain]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain
charset = utf8
groupBaseDN = DC=my,DC=domain
groupBaseFilter = (objectClass=*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap-server
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 15
userBaseDN = DC=my,DC=domain
userBaseFilter = (objectclass=person)
userNameAttribute = samaccountname
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think that the answer must be that:
- Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
- binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think that the answer must be that:
- Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
- binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The two thing I can see that is different from mine is your userBaseDN and groupBaseDN and then the commented out password. I use the same account in my environment. Here is an example of what I have in my authentication.conf file.
userBaseDN = OU=IT,DC=my,DC=domain;CN=Users,DC=my,DC=domain;OU=Sales,DC=my,DC=domain
groupBaseDN = OU=Security Groups,DC=my,DC=domain
I list the OUs and not just the full domain. A couple things to try:
List the OU/CNs in groupBaseDN/userBaseDN
Take off filtering (groupBaseFilter / userBaseFilter)
Uncomment the bindDNpassword and enter the service account's password
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you anthony. i think you may have a point about the password for the bind account. however, it's a "managed service account" - a special type of 2k8 not a regular user object delegated for service duty.
see the following article please on those:
http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx#BKMK_Passwords
Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!
Splunk and Fraud
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
