Splunk Search

Can I map multiple groups to be bound to one role?

Builder

All,

Can I map multiple AD groups to one role in authentication.conf? Example?

0 Karma
1 Solution

Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2

View solution in original post

0 Karma

Builder

@daniel333 - Yes you can. Separate the groups with a semicolon while defining LDAP strategy. And then define a rolemap as shown in the below example. The same can be achieved through GUI as well.

groupBaseDN = [<\string>;<\string>;...]
* The LDAP Distinguished Names of LDAP entries whose subtrees contain
the groups.
* Required.
* Enter a semicolon (;) delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a
configuration that can treat each user as its own group:
* Set groupBaseDN to the same as userBaseDN, which means you search
for groups in the same place as users.
* Next, set the groupMemberAttribute and groupMappingAttribute to the same
setting as userNameAttribute.
* This means the entry, when treated as a group, uses the username
value as its only member.
* For clarity, also set groupNameAttribute to the same
value as userNameAttribute.
* No default.

Working example below: authentication.conf

[LDAP_Test]
groupBaseDN = CN=AD-Group-1,OU=Groups,DC=WIN,DC=LOCAL;CN=AD-Group-2,OU=Groups,DC=WIN,DC=LOCAL
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = <\your_AD_server_hostname>
nestedGroups = 0
network_timeout = 20
port = 389/636 <\remove this comment - 636 is for ssl>
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = OU=Accounts,DC=WIN,DC=LOCAL
userNameAttribute = samaccountname


[roleMap_LDAP_Test]
splunk_custom_role = AD-Group-1;AD-Group-2

View solution in original post

0 Karma