- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Can I map multiple groups to be bound to one role?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All,
Can I map multiple AD groups to one role in authentication.conf? Example?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.
groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.
Working example below: authentication.conf
[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname
[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.
groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.
Working example below: authentication.conf
[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname
[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
