Splunk Search

Can I map multiple groups to be bound to one role?

daniel333
Builder

All,

Can I map multiple AD groups to one role in authentication.conf? Example?

0 Karma
1 Solution

nareshinsvu
Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2

View solution in original post

0 Karma

nareshinsvu
Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...