Splunk Enterprise Security

LDAP Authentication Debug

vasam
Engager

How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right?

Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
The exact exchange is not documented (at least not in Splunk docs). I would consider it a MAJOR security hole, however, if any query would return a user's password. Splunk should send the user's name and password and get back a good/bad indication and a list of groups to which the user belongs.
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/TestyourLDAPconfiguration for ways to test your LDAP config.
---
If this reply helps you, Karma would be appreciated.
0 Karma

vasam
Engager

Thanks @richgalloway ,

Another way of doing it is to get a hashed password back, then the application can compare that result to a hash of the password provided by the user. What I was trying to determine is whether a user needs to enter their password at all on a system when configured for LDAP authentication. I.e., whether it can do mutual authentication on the user's certificate. The Forwarder-to-indexer communication can be configured for mutual authentication by specifying the "sslCommonNameToCheck" with the cn of the connecting certificate, for example. I thought the web interface might have something similar for users.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.
0 Karma
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...