Security

nestedGroups is not working as expected for Active Directory LDAP

Communicator

I have a security group called Splunk Users that is mapped to the user role in Splunk.

When I add a user directly to this group they can auth fine.

When they are in a group called Developers which is in Splunk Users they are not able to auth.

Nested groups is selected.

Here is my authentication.conf

[authentication]
authSettings = Acme
authType = LDAP

[roleMap_Acme]
admin = Splunk Admins
api-user = Splunk API Users
can_delete = Splunk Admins
power = Splunk Admins;Splunk Power Users
splunk-system-role = Splunk Admins;Splunk System Users
user = Splunk Admins;Splunk Users

[Acme]
SSLEnabled = 1
anonymous_referrals = 1
bindDN = CN=svc.splunk.ldapsearch,OU=Service and Administrative Accounts,DC=Acme,DC=net
bindDNpassword = 12345
charset = utf8
groupBaseDN = OU=Splunk,OU=Security Groups,DC=Acme,DC=net
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domaincontroller
nestedGroups = 1
network_timeout = 20
port = 636
realNameAttribute = cn
sizelimit = 10000
timelimit = 15
userBaseDN = OU=Employees,DC=Acme,DC=net;OU=Service and Administrative Accounts,DC=Acme,DC=net
userNameAttribute = samaccountname

Path Finder

I know this is late, but maybe it will help someone out. We fought with this one for a little while.

You would need to add the groupDN of the Developers group to the groupBaseDN line using a semi-colon.
Here is an example of how mine is configured and it works fine:
[Acme]
SSLEnabled = 1
anonymousreferrals = 1
bindDN = Acme/splunkadmin
bindDNpassword = 1234
charset = utf8
groupBaseDN = OU=Information Technology,OU=GL Groups,OU=Security Groups,DC=Acme,DC=com;OU=PRD-Splunk,OU=DL Groups,OU=Security Groups,DC=Acme,DC=com
groupBaseFilter = (objectclass=group)
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = domain-controller
nestedGroups = 1
network
timeout = 20
port = 636
realNameAttribute = displayname
sizelimit = 5000
timelimit = 15
userBaseDN = OU=Information Technology,OU=All Users,DC=Acme,DC=com
userBaseFilter = (objectclass=user)
userNameAttribute = samaccountname

Path Finder

You are very welcome p1948040. I'm glad it helped someone out.

0 Karma

Communicator

Anyone? Bueller?

0 Karma

New Member

Thank you very much joebisesi for your follow up post - your fix has just resolved the same issue I have been trying to resolve!

Thanks again for taking the time to add this tip as a follow up.

0 Karma