Hi,
I have a Splunk stand alone test system that I have successfully configured to use LDAP Authentication. Everything seems to be working fine but I am receiving a lot of errors from the Authentication Manager (see below) that is trying to obtain user information for the user 'system'. The user has never existed in as far as I can tell. I have also checked through the metadata files for any reference to the user but cannot find anything.
DEBUG AuthenticationManagerLDAP - Attempting to get user information for user="**system**" from strategy="XXX-Strategy"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Initializing with LDAPURL="ldaps://XXX:636"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting bind as DN="CN=XXX,OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Bind successful
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Attempting to search subtree at DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" using filter="(&(samaccountname=**system**)(displayname=*))"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" Search duration="1477 microseconds"
DEBUG ScopedLDAPConnection - strategy="XXX-Strategy" LDAP Server returned no entries in search for DN="OU=XXX,OU=XXX,DC=XXX,DC=XXX,DC=XXX" filter="(&(samaccountname=**system**)(displayname=*))".
As you can see there is a successful LDAP bind but then several failed attempts to enumerate the 'system' user (not repeated here). I have checked the archives and can only find references to the possiblity that 'system' may own some objects (searches, views etc) but I have checked all the *.meta files and cannot find any references to any non-existent users other than 'nobody' and 'splunk-system-user'. Can anyone shed any light?
... View more