Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why can't I delete my LDAP strategy?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just wanted to run this one by the Splunk community to see if anyone else has experienced this before:
-Earlier this week, I attempted to delete my LDAP strategy on one of my Search Heads
-When I clicked delete, I got an error message. Something like "Error occurred attempting to remove BDC_AD: In handler 'LDAP-auth': Does not exist: /nobody/system/authentication/BDC_AD"
-When I check /opt/splunk/etc/system/local/authentication.conf - I don't see my strategy that I tried to delete showing up. However, that strategy still appears in the Splunk Web UI.
-Furthermore, now the service account I use to connect to LDAP keeps locking out, due to invalid credentials.
What could be causing this LDAP strategy to persist and lock out my service account??
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this problem is solved. The LDAP strategies kept showing up in the Web UI because they were being pushed via a deployment app.
The credential lockout issue had to do with me removing the bindDNpassword value from out of /opt/splunk/etc/system/local/authentication.conf in my attempts to get the LDAP strategies to disappear from the Web UI (not realizing that they were showing up as a result of an authentication.conf from a deployment app).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think this problem is solved. The LDAP strategies kept showing up in the Web UI because they were being pushed via a deployment app.
The credential lockout issue had to do with me removing the bindDNpassword value from out of /opt/splunk/etc/system/local/authentication.conf in my attempts to get the LDAP strategies to disappear from the Web UI (not realizing that they were showing up as a result of an authentication.conf from a deployment app).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That's funny!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update - I decided to run btool to figure out where authentication.conf settings were specified. Looks like someone had set up a deployment app for authentication.conf that gets pushed to all the search heads.
So things like passwords and mappings appear to be set in /opt/splunk/etc/system/local/authentication.conf, but other settings are specified in the authentication.conf that comes from the deployment app.
....more to come
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you restart splunk yet? If not, it's possible someone manually removed the config from authentication.conf, but didnt restart, and so the configuration is persisting in memory.
Also see what this gives you
./splunk btool authentication list --debug
You may find you have the ldap strategy configured in a different authentication.conf.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good call on the btool suggestion!
Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...
Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...
Reduce and Transform Your Firewall Data with Splunk Data Management
