Join the Conversation
- Find Answers
- :
- Splunk Products
- :
- Splunk Enterprise
- :
- One User Cannot Authenticate to Splunk
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Having issues with one user trying to authenticate into Splunk. We're using LDAP auth.
- User has the same primary group as another individual that can log in. That primary group is used to grant access to Splunk.
- User does not have any other group memberships that are mapped in Splunk for authentication, so no conflicts that I can tell.
- User is in the same OU as users that can authenticate.
- Only have 1 LDAP strategy, and only this 1 user is affected.
- Have confirmed that the user used for the LDAP strategy can query and see the affected user via Get-Aduser.
One thing I noticed in splunkd.log is the search filter appears a bit odd.
- 09-10-2020 09:30:35.191 -0700 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="flastname" with DN="CN=Last\, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com" in strategy="Company-LDAP-USERROLE"
- 09-10-2020 09:30:35.194 -0700 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="flastname". Search filter="(&(member=CN=Last\5C, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com)(|(CN=USERROLE*)(CN=OTHERUSERROLE*)))" strategy="Company-LDAP-USERROLE"
In the filter I see what looks to be an added 5C, which is hex code for \ in ASCII. Is it adding an additional piece that shouldn't be there? Might be a red herring though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright, changed primary group to a different group (Domain Users) and they can log in now. Odd since the primary group for the affected user was the same as an unaffected user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright, changed primary group to a different group (Domain Users) and they can log in now. Odd since the primary group for the affected user was the same as an unaffected user.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The backslash is escaping the comma embedded in the CN field so it is not interpreted as a field separator.
Have you tried passing the strings in those log messages to Get-Aduser to see if they work?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the first log the backslash is escaping the comma, but in the second its escaping the literal 5C characters (it looks like).
I have tried using the query via Get-Aduser, but it receives no results. I also get no results when I swap out the CN for a user who is able to log into Splunk. I'm using get-aduser -LDAPFilter and just copying/pasting the query from the log.
Edit: I tried creating a test user that I know would fail. The log was the same, except that it didn't have the \5C, instead just the escaped comma as I would expect.
09-10-2020 10:32:21.035 -0700 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="splunkauthtest". Search filter="(&(member=CN=splunkauthtest,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com)(|(CN=USERROLE*)(CN=OTHERUSERROLE*)))" strategy="Company-LDAP-USERROLE"
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
