Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

LDAP Authentication Debug

vasam
Engager
‎08-06-2020 06:51 AM

How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right?

Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 10:58 AM
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 09:52 AM
The exact exchange is not documented (at least not in Splunk docs). I would consider it a MAJOR security hole, however, if any query would return a user's password. Splunk should send the user's name and password and get back a good/bad indication and a list of groups to which the user belongs.
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/TestyourLDAPconfiguration for ways to test your LDAP config.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

vasam
Engager
‎08-06-2020 10:35 AM

Thanks @richgalloway ,

Another way of doing it is to get a hashed password back, then the application can compare that result to a hash of the password provided by the user. What I was trying to determine is whether a user needs to enter their password at all on a system when configured for LDAP authentication. I.e., whether it can do mutual authentication on the user's certificate. The Forwarder-to-indexer communication can be configured for mutual authentication by specifying the "sslCommonNameToCheck" with the cn of the connecting certificate, for example. I thought the web interface might have something similar for users.

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-06-2020 10:58 AM
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...