Now that we have Splunk installed, and we’ve configured it to use https to secure our logins, let’s set things up so that we don’t have to remember yet ANOTHER username/password combination on our network. Splunk is fully able to authenticate against an LDAP store, and what better LDAP store is there than Active Directory? That would be none. By using Active Directory, each user can logon using their AD credentials.
For purposes of this post, we have the following already set up and in place.
- Our Active Directory domain is set up as example.com.
- We have created records in DNS for ldap.example.com. This A record resolves to at least two of our domain controllers, so that we have fault tolerance for LDAP. Unfortunately, Splunk won’t use our SRV records, and if we just used example.com, we might try to reach DCs on the far side of the world.
- We have created a basic service account called ‘ldapbind’ so that we can make authenticated binds to AD.
- We have an Enterprise CA in our Active Directory, and all our domain controllers have certificates.
To start, logon to Splunk and then select the Manager link in the upper right. That should take you to a screen that looks like this.
See ‘Authentication method’ in the lower right corner? Click that. That should bring you to the screen that looks like this.
Select the LDAP radio button, and then click “Configure Splunk to work with LDAP.” That will bring you to this screen, where you can create an LDAP strategy. You should only need one, but you can create more if you have multiple domains, or other LDAP stores you want to use.
Click on the “New” button, and then configure Splunk to use LDAP. The first section is the overall setup, which I’ll explain below the image.
- LDAP strategy name: Just an arbitrary name to identify what you are doing.
Host: The DNS name you set up for at least two domain controllers…think redundancy.
Port: TCP 636 is the default for LDAPS.
SSL Enabled: You want this checked!
Bind DN: It says optional, but unless you want to support anonymous ldap binds, set up a service account so that you can tighten up AD security.
Bind DN Password: This would be the password for the service account.
Page Size:800 works well.
Scroll down a little way to the User settings. This is where we will set up the LDAP User settings. Again, explanations follow the image.
- User base DN: This is the fully qualified path to where your user accounts are stored.
User base Filter: objectclass=* does work for AD…fill it in.
User name attribute: For AD, use sAMAccountName, which is also the NetBIOS or pre-Windows 2000 username.
Real name attribute: displayName will show the user’s actual name as it is configured in AD.
Keep scrolling down to the Group settings. We will use this so that we can either assign Splunk permissions to existing groups (like admins) or we can create a new AD group for Splunk roles. Bet you can guess what comes below the image.
- Group base DN: This is the fully qualified path to where your group accounts are stored.
Group base filter: Again, objectclass=* works well.
Group name attribute: Use cn even if you don’t have users and groups in the same OU. I don’t know why, but trust me, this is what you want to do here.
Group mapping attribute: Use dn, and do so even though it says optional. Again, trust me.
Group member attribute: Again it says optional, but you want to do this. For AD, use member.
Finally, you WANT TO DO THIS! Set up a Failsafe settings user account so you can get in, just in case Splunk borks and cannot connect to AD. Save these credentials in your account escrow.
We’re not done yet though, so don’t log out! We need to set up Splunk permissions so that we can get back in using our AD account. But if I gave you everything in one post, well, it would be a very long post, and you might not come back. I want some repeat visitors, so you’re going to have to come back at least one more time. That information is now posted here. Hope the above helps!
You might also enjoy:
{ 2 comments… read them below or add one }
Ed..
Epic blog post! FYI. I did this Splunk Ninja video recently.. share it with your readers, it visually goes through everything you have, but further, including tools to figure out what all these cryptic LDAP strings are…
Direct link to video – http://splunk.blip.tv/file/2878148/
Link to my blog post and SplunkNinja.com community – http://splunkninja.com/video/splunk-ninja-basic-training
Michael Wilde
Splunk Ninja
@swackhap Check out gr8 blogs on Splunk & LDAP-Tina's: http://bit.ly/bDM0rQ or Splunk w/ AD from power user Retrohack: http://bit.ly/98iyfJ