You set up one LDAP "strategy" per LDAP tree you want to search (which might be one per LDAP server, or might be multiple per LDAP server to encompass separate sub-trees). But to simplify let's assume one server and one search tree.
One of the big gotchas of LDAP is that by default most LDAP servers will not return more than 1000 records, and will truncate at that point, so you have to create your filters to ensure the required record set is within the data returned.
For each strategy you have to provide a BindDN (and if necessary a password) because the BindDN is the authentication/authorisation for your search. If that BindDN does not have query access to the segments of the tree that you need to search, you won't see any results, and that's down to authentication/autorisations set up by the LDAP admin. Ideally you will have a BindDN specifically for your Splunk authentication, and nothing else, which has query access only to the data it needs (i.e. password hashes and group memberships relevant to Splunk role definition). In practice it will probably have access to a broader range of data than it needs, because granular access control across LDAP is a hairy subject.
... View more
