Security

how to bind to AD using MSAs

Contributor

im having a bit of trouble binding to our domain using LDAP. we have used managed service accounts (MSAs) according to the splunk deployment guide, however the LDAP authentication doesn't appear to work using that same account. i was trying to bind with the MSA's DN, but that doesnt appear to do it. however, binding with my admin account ("andrew-admin") does work.

so my question is:
do we have to have a separate account just for binding from the search head and authenticating end-users? or can we use the MSA? and if so, what parameters does a typical AD server use?

here's what i see:

01-18-2013 11:13:40.456 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users
01-18-2013 11:14:01.878 +1100 DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="andrew-admin" from strategy="my.domain"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Initializing with LDAPURL="ldaps://ldap-server:636"
01-18-2013 11:14:01.878 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting bind as DN="CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Bind successful
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Attempting to search subtree at DN="DC=my,DC=domain" using filter="(&(samaccountname=andrew-admin)(objectclass=person)(cn=*))"
01-18-2013 11:14:01.893 +1100 WARN ScopedLDAPConnection - strategy="my.domain" LDAP Server returned warning in search for DN="DC=my,DC=domain". reason="Operations error"
01-18-2013 11:14:01.893 +1100 ERROR AuthenticationManagerLDAP - Could not find user="andrew-admin" with strategy="my.domain"
01-18-2013 11:14:01.893 +1100 DEBUG ScopedLDAPConnection - strategy="my.domain" Successfully performed unbind
01-18-2013 11:14:01.893 +1100 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="andrew-admin" on any configured servers
01-18-2013 11:14:10.753 +1100 DEBUG AuthenticationManagerLDAP - Listing all cached users

and here's what i've got configured in authentication.conf:

[my.domain]
SSLEnabled = 1
anonymous_referrals = 0
bindDN = CN=MyMSA,OU=Service Accounts,OU=Security,OU=AU,DC=my,DC=domain
#bindDNpassword =
charset = utf8
groupBaseDN = DC=my,DC=domain
groupBaseFilter = (objectClass=*)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap-server
nestedGroups = 0
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 15
userBaseDN = DC=my,DC=domain
userBaseFilter = (objectclass=person)
userNameAttribute = samaccountname

0 Karma
1 Solution

Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.

View solution in original post

0 Karma

Contributor

i think that the answer must be that:

  1. Managed Service Accounts (MSAs) are only meant to run the splunk services (splunkd and splunkweb) and manage the directories
  2. binding to the directory for the purpose of authenticating Splunk users and admins is meant to use a more traditional "service account" approach, with a full user account that can bind to the directory with LDAP and of course specify a (static) password. this account would have to be a separate account from the MSA.

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

The two thing I can see that is different from mine is your userBaseDN and groupBaseDN and then the commented out password. I use the same account in my environment. Here is an example of what I have in my authentication.conf file.

userBaseDN = OU=IT,DC=my,DC=domain;CN=Users,DC=my,DC=domain;OU=Sales,DC=my,DC=domain
groupBaseDN = OU=Security Groups,DC=my,DC=domain

I list the OUs and not just the full domain. A couple things to try:

  1. List the OU/CNs in groupBaseDN/userBaseDN

  2. Take off filtering (groupBaseFilter / userBaseFilter)

  3. Uncomment the bindDNpassword and enter the service account's password

0 Karma

Contributor

thank you anthony. i think you may have a point about the password for the bind account. however, it's a "managed service account" - a special type of 2k8 not a regular user object delegated for service duty.

see the following article please on those:
http://technet.microsoft.com/en-us/library/ff641729(v=ws.10).aspx#BKMK_Passwords

0 Karma