Splunk Search

Splunk and OpenLDAP: Is there a setting in authentication.conf or another configuration file to allow custom filtering?


I am working to connect Splunk with my Active Directory using LDAP, and during the process, I have enabled DEBUG on both ScopedLDAPConnection and AuthenticationManagerLDAP. The log message caught my attention when attempting to search group,

07-15-2016 11:07:28.263 +0000 DEBUG ScopedLDAPConnection - strategy="test" Attempting to search subtree at DN="ou=splunk,ou=apps,o=xxx" using filter="(&(member=cn=user01,ou=users,o=xxx)(cn=splunk_users))"

I would like to know if I can edit the filter from:




I have looked at online documentation on authentication.conf, and there are no additional attributes which would allow custom filtering.
Hence, I would like to know if this is a product limitation, or if there is a hidden setting which I can change for it.

0 Karma


A simple reason you cannot edit that filter that way is because your proposed new filter is not valid. Check out the Grammar for the string representations of an LDAP filter is defined in RFC2254 Section 4. I also guess that this is being built by Splunk itself.

Now, I don't know much about the internals of Splunk's LDAP integration, but making a guess from this message and my knowledge of authentication.conf I think there are a bunch of tuneables you can manipulate here. Using rex like syntax (using {} for groups instead of () ) I'm guessing that there are a number of tuneables that you could manipulate here:

 07-15-2016 11:07:28.263 +0000 DEBUG ScopedLDAPConnection - strategy="test" Attempting to search subtree at DN="{?<groupBaseDN>ou=splunk,ou=apps,o=xxx}" using filter="(&({?<groupMemberAttribute>member}={?<value of groupMappingAttribute>cn=user01,ou=users,o=xxx}){?<groupBaseFilter>(cn=splunk_users)})"

Again just a guess as to where those come from, but try and see.


Thanks for your suggestions.
Noted on the invalidity of the filter string.

I have tried using regular expression but it does not work since this filter string is constructed by Splunk and the values are taken directly from the LDAP configuration page.

0 Karma


Let's back up a step... What do you want to accomplish by changing this filtering or what is not working that makes you want to change this without changing the values in the Splunk LDAP configuration as a solution?

I didn't mean to imply that you could use regular expressions here, but instead to call out the various parts of the message and label where I think they might be related to authentication.conf settings

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!