@Stefanie Porting over much of your settings into our authentication.conf file worked for us. To answer the questions you had previously: * We do not have to pull from multiple AD trusts in our configuration. * What attribute in AD stores your Principal Name for your CAC? - we also use `userprincipalname`. We're using that value for "userNameAttribute" in authentication.conf. * Are the roles you have mapped showing up for you under the Splunk Web UI -> Authentication Methods -> LDAP Settings -> Map Groups? - Thanks for this tip. This was useful in helping us troubleshoot whether Splunk was understanding our configuration and querying LDAP successfully. Things that might have prevented our initial configuration from working: * We may have used an incorrect userBaseDN for our environment. That would have resulted in failed user queries. * Our "groupMemberAttribute" may have been wrong. I was used to the attribute being "uniqueMember" from previous experience with AD, but my memory may have been incorrect. I changed it to the value you provided, and it works. * Splunk may not recursively search OU's when doing a group search. So we asked our Active Directory administrators to create two groups within the same OU and used that OU as our "groupBaseDN". We changed those items and had a successful test of this configuration today. I've marked your response with your authentication.conf file as correct. Thank you! 🙂
... View more
@Stefanie Thank you! Here are the answers to your questions: * Is the Reverse Proxy set up on the same server you'll be logging into? Yes, our web server reverse proxy is running on the same server as the Splunk server. On the bright side, our CAC authentication is currently working. We tried adding an LDAP strategy to `authentication.conf` but was unsuccessful at getting it to work the way we'd hoped. Seeing an example of your "authentication.conf" might be helpful for me. Here is an example of what we tried in "authentication.conf" [authentication] authType = LDAP authSettings = ldap_strategy [ldap_strategy] host = active-directory.example.com SSLEnabled = 1 port = 636 bindDN = CN=MYAPP.dev,OU=Service Accounts,DC=example,DC=com bindDNpassword = REDACTED groupBaseDN = DC=example,DC=com groupMemberAttribute = uniqueMember groupNameAttribute = cn realNameAttribute = displayName userBaseDN = CN=Users,DC=example,DC=com userBaseFilter = (objectclass=organizationalPerson) userNameAttribute = cn [splunk_auth] constantLoginTime = 0.000 enablePasswordHistory = 1 expireAlertDays = 15 expirePasswordDays = 60 expireUserAccounts = 1 forceWeakPasswordChange = 1 lockoutAttempts = 3 lockoutMins = 1440 lockoutThresholdMins = 15 lockoutUsers = 1 minPasswordDigit = 1 minPasswordLength = 15 minPasswordLowercase = 1 minPasswordSpecial = 1 minPasswordUppercase = 1 passwordHistoryCount = 5 verboseLoginFailMsg = 0 [roleMap_ldap_strategy] # Map Splunk role name to LDAP group name # SplunkRoleName = LDAPGroupName admin = SplunkAdmins user = BusinessUsers
... View more
We are using Splunk with CAC / Smart Card authentication and want to add to our configuration the ability to map LDAP groups to roles within Splunk.
What we'd like to have happen: * User logs in with CAC / Smart Card authentication with PIN. * Splunk looks up the user in an LDAP directory to get their group memberships. * Splunk maps group membership into a role like "user" or "admin" within the application.
CAC / Smart Card authentication means we've centralized our authentication. What we're looking for is to build on that to centralize authorization by using LDAP group membership to determine the correct permissions for each user.
How Splunk is currently configured:
* A web server like Apache is configured to require TLS client certificate authentication. * The web server find's the user's ID (or equivalent field within the TLS client certificate data). * The web server assigns that user ID to an HTTP header. e.g. `X-MY-REMOTE-USER-ID` * The web server reverse proxies the connection to the Splunk web application server. * The Splunk web application is configured, via `web.conf` , to use SSO with the `remoteUser` configuration setting to set the Splunk user based on the value of the HTTP header.
Is there a way to achieve the configuration we're looking for?
Here are our existing Splunk authentication configuration:
``` [settings] SSOMode = strict enableSplunkWebSSL = true httpport = 8443 login_content = <div>REDACTED</div> privKeyPath = /path/to/key.pem remoteUser = X-MY-REMOTE-USER-ID remoteUserMatchExact = 1 serverCert = /path/to/tls/cert.pem tools.proxy.on = false trustedIP = 127.0.0.1 updateCheckerBaseURL = 0 keepAliveIdleTimeout = 270 server.thread_pool = 100 tools.sessions.timeout = 15 ```
``` # cat authentication.conf [authentication] authType = Splunk
[splunk_auth] constantLoginTime = 0.000 enablePasswordHistory = 1 expireAlertDays = 15 expirePasswordDays = 60 expireUserAccounts = 1 forceWeakPasswordChange = 1 lockoutAttempts = 3 lockoutMins = 1440 lockoutThresholdMins = 15 lockoutUsers = 1 minPasswordDigit = 1 minPasswordLength = 15 minPasswordLowercase = 1 minPasswordSpecial = 1 minPasswordUppercase = 1 passwordHistoryCount = 5 verboseLoginFailMsg = 0 ```
... View more