hello
I am currently configuring SPLUNK with LDAP / AD .
Splunk server is installed on a centos 7 . Splunk version 7.1
splunk web must be use by users in GROUP1 only
GROUP1 is mapped with admin role
minos is existing only in AD , not in Splunk web ...
When user minos is not a member of GROUP1 it is not listed and does not appear in the log.
As soon as minos has beed added in GROUP1, then it is in the log file .
"Found matching group="GROUP1" with mapped roles" . It seems to be working as expected
But
1) I have the following error message "Could not get roles for user that does not exist: minos" .
What am I doing wrong ? What is missing and where ?
Any suggestion ? of course I looked around in the forum ... but nothing obvious
2) There is also a user
before, I removed any reference in the local.meta file
user="nobody" was not cached
....
Could not find user="nobody" with strategy="advm"
Thanks
Extract of the log splunk log file
[...]
4-09-2020 15:03:45.002 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Initializing with LDAPURL="ldap://:389"
04-09-2020 15:03:45.002 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting bind as DN="cn=administrador,cn=users,dc=XXX,dc=com"
04-09-2020 15:03:45.004 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Bind successful
04-09-2020 15:03:45.004 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting to search subtree at DN="cn=users,dc=XXXX,dc=com" using filter="(&(samaccountname=minos)(memberof=CN=GROUP1,CN=Builtin,DC=XXXX,DC=com)(displayname=*))"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Search duration="3.220 milliseconds"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Loading entry attributes for DN="CN=minos,CN=Users,DC=XXX,DC=com"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Adding attribute="displayName" with value="minos"
04-09-2020 15:03:45.007 +0000 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="minos" with DN="CN=minos,CN=Users,DC=XXXX,DC=com" in strategy="advm"
04-09-2020 15:03:45.007 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Attempting to search subtree at DN="cn=builtin,dc=XXXX,dc=com" using filter="(&(member=CN=minos,CN=Users,DC=XXXX,DC=com)(cn=*))"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Search duration="1382 microseconds"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Loading entry attributes for DN="CN=GROUP1,CN=Builtin,DC=XXX,DC=com"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Adding attribute="cn" with value="GROUP1"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Mapping groups for user="minos" for group DN="CN=GROUP1,CN=Builtin,DC=XXX,DC=com"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - "Found matching group="GROUP1" with mapped roles"
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Successfully filled info for user="minos" with realname="minos" and email="" in strategy="advm"
04-09-2020 15:03:45.009 +0000 DEBUG ScopedLDAPConnection - strategy="advm" Successfully performed unbind
04-09-2020 15:03:45.009 +0000 DEBUG AuthenticationManagerLDAP - Caching user="minos" with DN="CN=minos,CN=Users,DC=XXXX,DC=com"
04-09-2020 15:03:45.009 +0000 ERROR AuthenticationManagerSplunk - Could not get roles for user that does not exist: minos
04-09-2020 15:03:45.011 +0000 INFO UserManagerPro - Login failed for user="minos", elapsed time=0.001 seconds
[...]
here is my authenification.conf file
[advm]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=administrador,cn=users,dc=XXX,dc=com
bindDNpassword =
charset = utf8
emailAttribute = mail
groupBaseDN = cn=builtin,dc=XXX,dc=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host =
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = displayname
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,dc=XXXX,dc=com
userBaseFilter = (memberof=CN=GROUP1,CN=Builtin,DC=XXX,,DC=com)
userNameAttribute = samaccountname
[authentication]
authSettings = advm
authType = LDAP
[roleMap_advm]
admin = GROUP1
Thank DalJeanis
For the first issue. The users from AD are listed in splunkweb and are mapped to the role admin as expected
But still cannot log-in with one of those users
So I do not get why the user is not found ! Are those users supposed to be defined somewhere else ?
Any idea
Thanks for your answer DalJeanis
For my first issue : I can see in splunkweb all the users defined in LDAP linked to GROUP1 and mapped to the roles I defined in the authentification.conf file.
Tried a lot of things but still get this error when trying to log-in with one of the user listed in splunkweb
Am I looking in the wrong direction ... ?
FYI - user "nobody" is what happens when a knowledge object (a search or dash) belonged to a user who has been deleted from the system.