Welcome back. So now that we have Splunk set up to use AD for authentication, using the steps from this earlier post, we are ready to set Splunk up so that the authorization also uses AD. We will grant Splunk roles to AD groups under the same area in the Splunk Manager; Authentication Method. Here is how to do it.
- Reload the authentication scheme an enable LDAP. This will kick you out of the system.
- Login to Splunk using your failsafe account, and the click Manager.
- Click Authentication Method.
- If all went well with your LDAP setup, you should now see the option to Configure LDAP role mapping. Click it.
- You should now see a list of all the groups in the target OU. Scroll down until you find the first group you want to grant rights, and then click them.
- Add the roles you want that group to have. Since this is MY group, I am just going to click “add all.”
- Scroll down to the bottom and click Save. Then click log out.
- Try logging on with your domain account. If all goes well, your browser should be full of WIN!
If you see a big ugly red banner telling you that no groups were returned, check for typos in the DN of the user account, and the LDAP path to your groups. If that doesn’t work, try using LDAP over 389…Splunk doesn’t exactly tell you WHAT is wrong. Here, WireShark will be your friend.
If not, you now understand why you set up a failsafe account. Use it to login, and start with your troubleshooting. Likely causes again include typos in your LDAP configuration, or you chose a group that your AD account does not belong to. Using WireShark, temporarily set your authentication to LDAP over 389 (no SSL) and look at the trace. You should see an error response from a domain controller, or other responses to your queries that point you to the error.
You might also enjoy:
{ 4 comments… read them below or add one }
Hi,
At step 5, I can see all the groups in my OU. After that, I added all available roles to the group I want. Save, logout and restart Splunk (for sure) but I cannot log on with my domain account (example.com\quan.ta or example\quan.ta). Can you help me?
Quanta,
Hi Quanta,
Check the following and let me know by reply here or at http://www.splunk.com/support/forum:SplunkGeneral/674/12637#post (preferably both.) I wish you had posted as much detail here as in the Splunk forum, but the pingback let me find you
That you can see all the groups listed is great! That’s the hard part, so now we just need to get your user login squared away.
a) set your port to 389.
b) confirm that your user account is a member of the group you added the roles to
c) try logging on only as quan.ta, omitting the domain.
Keeping fingers crossed for you.
Ed
Hi edfisher,
Thanks for your help.
a) I already tried set port to 389 (You can see it in my previous post).
b) I am sure. (and to more sure I have added available roles to “all” group)
c) I tried but still get “Invalid user or password” error.
I also tried to using Wireshark on AD server with filter option “src host and dst port 389 or 3268″ but I got no response.
Hi Quanta,
First, I am going to post what you had at the Splunk forum for anyone else to review.
Here is my authentication.conf file:
[authentication]
authSettings = LDAP auth to AD
authType = LDAP
[LDAP auth to AD]
SSLEnabled = 0
bindDN = quan.ta@example.com
bindDNpassword = $1$+wRV4vhO24Mh
charset = utf8
failsafeLogin = admin
failsafePassword = $1$4jFX5/EG4Q==
groupBaseDN = OU=xx,DC=example,DC=com;
groupBaseFilter = objectclass=*
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
pageSize = 800
port = 3268 (or 389)
realNameAttribute = quanta
userBaseDN = dc=example,dc=com;
userBaseFilter = objectclass=*
userNameAttribute = sAMAccountName
[roleMap]
admin =
can_delete =
power =
user =
Now, your statement about ‘got no response’ could be interpreted a couple of different ways, and since you (rightly so) obsfucated your domain controller settings before posting your conf file, I want to make sure that….
you are either targeting a specific domain controller with that ip.add, or you targeted the domain name and all of your domain controllers are reachable from your Splunk server over 389.
Please do not use 3268…that is Global Catalog, and while it does represent a subset of AD, it is not the domain bind point.
From your Splunk server, use the ldp.exe application to connect and bind to the same server represented by x.x.x.x in your conf file, using the same account as in the conf file. However, you should not use your own account there….create a service account without any additional privileges. You only have to bind to AD; you don’t need admin rights to authenticate a user. Confirm that you can connect, bind, and browse to the OU containing your user accounts using ldp.exe, and let me know the outcome.
For anyone not familiar with ldp.exe, here is a link to a pretty good, quick overview. http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm
Cheers,
Ed