Having issues with one user trying to authenticate into Splunk. We're using LDAP auth. User has the same primary group as another individual that can log in. That primary group is used to grant access to Splunk. User does not have any other group memberships that are mapped in Splunk for authentication, so no conflicts that I can tell. User is in the same OU as users that can authenticate. Only have 1 LDAP strategy, and only this 1 user is affected. Have confirmed that the user used for the LDAP strategy can query and see the affected user via Get-Aduser. One thing I noticed in splunkd.log is the search filter appears a bit odd. 09-10-2020 09:30:35.191 -0700 DEBUG AuthenticationManagerLDAP - Attempting to get roles for user="flastname" with DN="CN=Last\, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com" in strategy="Company-LDAP-USERROLE" 09-10-2020 09:30:35.194 -0700 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="flastname". Search filter="(&(member=CN=Last\5C, First,OU=OU2,OU=OU1,OU=Users,DC=company,DC=com)(|(CN=USERROLE*)(CN=OTHERUSERROLE*)))" strategy="Company-LDAP-USERROLE" In the filter I see what looks to be an added 5C, which is hex code for \ in ASCII. Is it adding an additional piece that shouldn't be there? Might be a red herring though.
... View more