Security

After configuring LDAP authentication with Active Directory in Splunk, why are LDAP user details for some users deleted after a login attempt?

nivedita_viswan
Path Finder

I have configured LDAP authentication with Active Directory on Splunk. We are still waiting on the group to role mapping, so currently we have mapped individual users to specific roles.

However, 1 of the 5 users we have currently mapped is unable to login. When I add his username to the authentication.conf file, I see his username, Full name and email address under Settings->Access controls->Users

When he tries to log in, he gets "Invalid username or password" and immediately after that, his details are no longer visible under Settings->Access controls->Users

splunkd.log only shows

user=xxx action=login status=failure reason=user-initiated

The password can't be invalid since he logs into his local machine with the same credentials. The other 4 users are able to log in successfully.
Also, since I can see his 'Full Name' under Settings->Access controls->Users , I don't think its a problem with his display name, either.

1 Solution

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

View solution in original post

mendesjo
Path Finder

You just saved me, made some permission changes , roles etc... and if you have the LDAP in uppercase letters it fails.

0 Karma

nivedita_viswan
Path Finder

It turns out that this only happened for users who had capital letters in their LDAP usernames. I had initially configured the role mapping assuming case sensitivity. So I had

admin = User1, user2, usEr3

Thought the users could log into their systems irrespective of the case, they were unable to log into splunk. I changed the mapping so that all usernames had lower case letters:

admin=user1,user2,user3

This seemed to fix the issue, and all users can now log into Splunk.

Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...