Splunk Enterprise Security
Highlighted

LDAP authentication has stopped unknown reason

Explorer

Hello it seems one of the LDAP strategies has stopped working for unknown reason. I have confirmed password and the settings are correct. I have also checked the Map Groups field and confired that the user role has been added and I am able to see all the user that should be in there under LDAP Users I have also tried reloading authentication configuration with no luck. Any help or suggestions would be greatly appreciated. Below is the message I am getting. Thanks

3/11/20
8:30:46.318 AM  
03-11-2020 08:30:46.318 -0500 ERROR UiAuth - user=myuser action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36" clientip=123.123.123.123
host = abc001source = \Splunk\var\log\splunk\splunkd.logsourcetype = splunkd
3/11/20
8:30:46.318 AM  
03-11-2020 08:30:46.318 -0500 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="myuser" on any configured servers
host = abc001source = *\Splunk\var\log\splunk\splunkd.logsourcetype = splunkd
0 Karma
Highlighted

Re: LDAP authentication has stopped unknown reason

Motivator

Depending on your AD implementation, and the number of users associated, you are likely hitting a search limit.

When validating against LDAP, Splunk will timeout based on several parameters. Number of users (1000 by default), search and network timeout settings, etc. If you have a large number of users, you are most likely hitting a limit before Splunk is able to find/validate the specific user.

https://docs.splunk.com/Documentation/Splunk/8.0.2/Security/ConfigureLDAPwithSplunkWeb

0 Karma