Splunk Enterprise Security

The case of the reappearing roles - LDAP Mapping

erikhansen29
New Member

Hi All. Hopefully somebody has an answer to this.

We are on v8.1.6 and in doing some security cleanup, I was removing some LDAP mappings that were no longer needed or didn't need to be mapped in the first place. Here comes the fun part.

There are two groups that I cannot get to stay unmapped from a couple of specific roles. The roles are splunk-system-role and another is called windows-admin that was created after setup. If I unmap one of these roles from group1, all is fine. As soon as I remove the same role from group2 and click on save, that role now shows up again for both groups. 

If I delete the windows-admin role, it may seem fine, but users still show that role assigned and I can't remove it. On top of that, if I resync the LDAP, it all shows up again even though that windows-admin role doesn't exist.  It's almost as if it's being automapped but I can't find anything. I've gone so far as manually editing the authorization.conf file and removing those mappings in there, verifying it syncs across the search heads, but no dice. 

In addition, there are users that have multiple roles, but are in only one of the AD groups mapped to a role, and I cannot remove the other roles, such as splunk-system-role. Or I have some with power and a custom role and I want to keep the custom role but remove power. Won't let me and they are only in the AD group mapped to the custom role. 

Very strange behavior. Short from filtering out all the groups other than those I want to show up in LDAP, are there any other ideas?

Labels (1)
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!