Splunk Enterprise Security
Highlighted

LDAP authentication has stopped unknown reason

Explorer

Hello it seems one of the LDAP strategies has stopped working for unknown reason. I have confirmed password and the settings are correct. I have also checked the Map Groups field and confired that the user role has been added and I am able to see all the user that should be in there under LDAP Users I have also tried reloading authentication configuration with no luck. Any help or suggestions would be greatly appreciated. Below is the message I am getting. Thanks

3/11/20
8:30:46.318 AM  
03-11-2020 08:30:46.318 -0500 ERROR UiAuth - user=myuser action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36" clientip=123.123.123.123
host = abc001source = \Splunk\var\log\splunk\splunkd.logsourcetype = splunkd
3/11/20
8:30:46.318 AM  
03-11-2020 08:30:46.318 -0500 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="myuser" on any configured servers
host = abc001source = *\Splunk\var\log\splunk\splunkd.logsourcetype = splunkd
0 Karma
Highlighted

Re: LDAP authentication has stopped unknown reason

Motivator

Depending on your AD implementation, and the number of users associated, you are likely hitting a search limit.

When validating against LDAP, Splunk will timeout based on several parameters. Number of users (1000 by default), search and network timeout settings, etc. If you have a large number of users, you are most likely hitting a limit before Splunk is able to find/validate the specific user.

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureLDAPwithSplunkWeb

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.