Splunk Enterprise Security

LDAP Authentication Debug

vasam
Engager

How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right?

Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
The exact exchange is not documented (at least not in Splunk docs). I would consider it a MAJOR security hole, however, if any query would return a user's password. Splunk should send the user's name and password and get back a good/bad indication and a list of groups to which the user belongs.
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/TestyourLDAPconfiguration for ways to test your LDAP config.
---
If this reply helps you, Karma would be appreciated.
0 Karma

vasam
Engager

Thanks @richgalloway ,

Another way of doing it is to get a hashed password back, then the application can compare that result to a hash of the password provided by the user. What I was trying to determine is whether a user needs to enter their password at all on a system when configured for LDAP authentication. I.e., whether it can do mutual authentication on the user's certificate. The Forwarder-to-indexer communication can be configured for mutual authentication by specifying the "sslCommonNameToCheck" with the cn of the connecting certificate, for example. I thought the web interface might have something similar for users.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

New Release | Splunk Enterprise 9.3

Admins and Analyst can benefit from:  Seamlessly route data to your local file system to save on storage ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...