Gravedigging, I know. I ran into this and had a heck of a time figuring it out. We could map groups and users, and have nested security groups all over the place, BUT some users could not log in, even though we could see them in the Splunk UI as a member of the group(s) we were adding. Turns out that the users that could not log in, did not have an Active Directory DisplayName! The LDAP query would choke and die for those users, while users with DisplayNames would be able to log in. We changed the "realNameAttribute" to "samaccountname" and the users were immediately able to log in. The only side effect is that their login name is shown at the top of the UI rather than their full name, but with thousands of possible users, and the potential of this cropping up in the future, we're keeping the "samaccountname" and calling it a day.
Working config, non-SSL:
authentication.conf:
[roleMap_MGMT-SE]
admin = SE-GROUP
[authentication]
authSettings = MGMT-SE,MGMT-USERS
authType = LDAP
[roleMap_MGMT-USERS]
splunktier1 = SplunkTier1
splunktier2 = SplunkTier2
splunktier3 = SplunkTier3
[MGMT-SE]
SSLEnabled = 0
anonymous_referrals = 0
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = CN=SE-GROUP,OU=Teams,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname
[MGMT-USERS]
SSLEnabled = 0
anonymous_referrals = 1
bindDN = CN=_splunksvc,OU=Service_Accounts,DC=mgmt,DC=com
bindDNpassword = (removed)
charset = utf8
emailAttribute = mail
groupBaseDN = OU=User_Groups,OU=Security_Groups,DC=mgmt,DC=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = ldap.server.com
nestedGroups = 0
network_timeout = 20
port = 389
realNameAttribute = samaccountname
sizelimit = 4000
timelimit = 15
userBaseDN = DC=mgmt,DC=com
userNameAttribute = samaccountname
... View more