Security

After configuring LDAP authentication with Active Directory in Splunk, why are LDAP user details for some users deleted after a login attempt?

nivedita_viswan
Path Finder

I have configured LDAP authentication with Active Directory on Splunk. We are still waiting on the group to role mapping, so currently we have mapped individual users to specific roles.

However, 1 of the 5 users we have currently mapped is unable to login. When I add his username to the authentication.conf file, I see his username, Full name and email address under Settings->Access controls->Users

When he tries to log in, he gets "Invalid username or password" and immediately after that, his details are no longer visible under Settings->Access controls->Users

splunkd.log only shows

user=xxx action=login status=failure reason=user-initiated

The password can't be invalid since he logs into his local machine with the same credentials. The other 4 users are able to log in successfully.
Also, since I can see his 'Full Name' under Settings->Access controls->Users , I don't think its a problem with his display name, either.

1 Solution

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

View solution in original post

mendesjo
Path Finder

You just saved me, made some permission changes , roles etc... and if you have the LDAP in uppercase letters it fails.

0 Karma

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...