Security

how to bind to AD using MSAs

awurster
Contributor

im having a bit of trouble binding to our domain using LDAP. we have used managed service accounts (MSAs) according to the splunk deployment guide, however the LDAP authentication doesn't appear to work using that same account. i was trying to bind with the MSA's DN, but that doesnt appear to do it. however, binding with my admin account ("andrew-admin") does work.

so my question is:
do we have to have a separate account just for binding from the search head and authenticating end-users? or can we use the MSA? and if so, what parameters does a typical AD server use?

here's what i see:

01-18-2013 11:13:40.456 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users
01-18-2013 11:14:01.878 +1100 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="andrew-admin" from strategy="my.domain"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Initializing with LDAPURL="ldaps://ldap-server:636"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting bind as DN="CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Bind successful
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting to search subtree at DN="DC=my,DC=domain" using filter="(&(samaccountname=andrew-admin)(objectclass=person)(cn=*))"
01-18-2013 11:14:01.893 +1100 WARN ScopedLDAPConnection - strategy="my.domain" LDAP Server returned warning in search for DN="DC=my,DC=domain". reason="Operations error"
01-18-2013 11:14:01.893 +1100 ERROR AuthenticationManagerLDAP - Could not find user="andrew-admin" with strategy="my.domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Successfully performed unbind
01-18-2013 11:14:01.893 +1100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="andrew-admin" on any configured servers
01-18-2013 11:14:10.753 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users

and here's what i've got configured in authentication.conf:

[my.domain]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain
#bindDNpassword =
charset = utf8
groupBaseDN = DC=my,DC=domain
groupBaseFilter = (objectClass=*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap-server
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 15
userBaseDN = DC=my,DC=domain
userBaseFilter = (objectclass=person)
userNameAttribute = samaccountname

0 Karma
1 Solution

awurster
Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.

View solution in original post

0 Karma

awurster
Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.
0 Karma

treinke
Builder

The two thing I can see that is different from mine is your userBaseDN and groupBaseDN and then the commented out password. I use the same account in my environment. Here is an example of what I have in my authentication.conf file.

userBaseDN = OU=IT,DC=my,DC=domain;CN=Users,DC=my,DC=domain;OU=Sales,DC=my,DC=domain
groupBaseDN = OU=Security Groups,DC=my,DC=domain

I list the OUs and not just the full domain. A couple things to try:

  1. List the OU/CNs in groupBaseDN/userBaseDN

  2. Take off filtering (groupBaseFilter / userBaseFilter)

  3. Uncomment the bindDNpassword and enter the service account's password

There are no answer without questions
0 Karma

awurster
Contributor

thank you anthony. i think you may have a point about the password for the bind account. however, it's a "managed service account" - a special type of 2k8 not a regular user object delegated for service duty.

see the following article please on those:
http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx#BKMK_Passwords

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...