Splunk Search

Splunk and OpenLDAP: Is there a setting in authentication.conf or another configuration file to allow custom filtering?

iiierdna
Explorer

I am working to connect Splunk with my Active Directory using LDAP, and during the process, I have enabled DEBUG on both ScopedLDAPConnection and AuthenticationManagerLDAP. The log message caught my attention when attempting to search group,

07-15-2016 11:07:28.263 +0000 DEBUG ScopedLDAPConnection - strategy="test" Attempting to search subtree at DN="ou=splunk,ou=apps,o=xxx" using filter="(&(member=cn=user01,ou=users,o=xxx)(cn=splunk_users))"

I would like to know if I can edit the filter from:

(&(member=cn=user01,ou=users,o=xxx)(cn=splunk_users))

to

(&(member=cn=user01,ou=users,o=xxx))(cn=splunk_users)

I have looked at online documentation on authentication.conf, and there are no additional attributes which would allow custom filtering.
Hence, I would like to know if this is a product limitation, or if there is a hidden setting which I can change for it.

0 Karma

acharlieh
Influencer

A simple reason you cannot edit that filter that way is because your proposed new filter is not valid. Check out the Grammar for the string representations of an LDAP filter is defined in RFC2254 Section 4. I also guess that this is being built by Splunk itself.

Now, I don't know much about the internals of Splunk's LDAP integration, but making a guess from this message and my knowledge of authentication.conf I think there are a bunch of tuneables you can manipulate here. Using rex like syntax (using {} for groups instead of () ) I'm guessing that there are a number of tuneables that you could manipulate here:

 07-15-2016 11:07:28.263 +0000 DEBUG ScopedLDAPConnection - strategy="test" Attempting to search subtree at DN="{?<groupBaseDN>ou=splunk,ou=apps,o=xxx}" using filter="(&({?<groupMemberAttribute>member}={?<value of groupMappingAttribute>cn=user01,ou=users,o=xxx}){?<groupBaseFilter>(cn=splunk_users)})"

Again just a guess as to where those come from, but try and see.

iiierdna
Explorer

Thanks for your suggestions.
Noted on the invalidity of the filter string.

I have tried using regular expression but it does not work since this filter string is constructed by Splunk and the values are taken directly from the LDAP configuration page.

0 Karma

acharlieh
Influencer

Let's back up a step... What do you want to accomplish by changing this filtering or what is not working that makes you want to change this without changing the values in the Splunk LDAP configuration as a solution?

I didn't mean to imply that you could use regular expressions here, but instead to call out the various parts of the message and label where I think they might be related to authentication.conf settings

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...