Splunk Enterprise Security

LDAP Authentication Debug

vasam
Engager

How is LDAP authentication supposed to work? When the user logs in, what LDAP query does the Splunk server use to retrieve the user information and validate the user and password? As near as I can tell, what should be happening is that the Splunk server queries the LDAP server with <account-name>=<value entered from login> where <account-name> is the value specified in the userNameAttribute variable in ldap stanza of authentication.conf. The user query should also be combined (ANDed) with the value of the userBaseFilter variable. The return value from the query should then be the userPassword attribute, which is compared with the value entered into the password field on the login form. Do I have this right?

Is there a way to debug the Splunk server to LDAP server interaction, i.e., to examine the LDAP query and look at the response? Or is my best option just to run the server in debug and search splunkd.log?

Tags (1)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust
The exact exchange is not documented (at least not in Splunk docs). I would consider it a MAJOR security hole, however, if any query would return a user's password. Splunk should send the user's name and password and get back a good/bad indication and a list of groups to which the user belongs.
See https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/TestyourLDAPconfiguration for ways to test your LDAP config.
---
If this reply helps you, Karma would be appreciated.
0 Karma

vasam
Engager

Thanks @richgalloway ,

Another way of doing it is to get a hashed password back, then the application can compare that result to a hash of the password provided by the user. What I was trying to determine is whether a user needs to enter their password at all on a system when configured for LDAP authentication. I.e., whether it can do mutual authentication on the user's certificate. The Forwarder-to-indexer communication can be configured for mutual authentication by specifying the "sslCommonNameToCheck" with the cn of the connecting certificate, for example. I thought the web interface might have something similar for users.

0 Karma

richgalloway
SplunkTrust
SplunkTrust
Users must always enter passwords when signing in to Splunk. SAML authentication makes some exceptions, but I'm not familiar with them and they don't apply here.
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)

Greetings, Splunk Cloud Admins and Splunk enthusiasts! The Admin Configuration Service (ACS) team is excited ...

Tech Talk | One Log to Rule Them All

One log to rule them all: how you can centralize your troubleshooting with Splunk logs We know how important ...

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through: An introduction to the Splunk Threat ...