Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

LDAP Authentication Debug

vasam
Engager
‎08-06-2020 06:51 AM

How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right?

Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 10:58 AM
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 09:52 AM
The exact exchange is not documented (at least not in Splunk docs). I would consider it a MAJOR security hole, however, if any query would return a user's password. Splunk should send the user's name and password and get back a good/bad indication and a list of groups to which the user belongs.
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/TestyourLDAPconfiguration for ways to test your LDAP config.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vasam
Engager
‎08-06-2020 10:35 AM

Thanks @richgalloway ,

Another way of doing it is to get a hashed password back, then the application can compare that result to a hash of the password provided by the user. What I was trying to determine is whether a user needs to enter their password at all on a system when configured for LDAP authentication. I.e., whether it can do mutual authentication on the user's certificate. The Forwarder-to-indexer communication can be configured for mutual authentication by specifying the "sslCommonNameToCheck" with the cn of the connecting certificate, for example. I thought the web interface might have something similar for users.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 10:58 AM
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...