Comments on: howto://Configure Splunk to use AD groups http://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/ lest the tubes become overfull Sat, 04 Feb 2012 23:34:46 +0000 hourly 1 http://wordpress.org/?v= By: Ed Fisherhttp://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/comment-page-1/#comment-92 Ed Fisher Wed, 20 Jan 2010 15:38:55 +0000 http://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/#comment-92 Hi Quanta, First, I am going to post what you had at the Splunk forum for anyone else to review. Here is my authentication.conf file:[authentication] authSettings = LDAP auth to AD authType = LDAP[LDAP auth to AD] SSLEnabled = 0 bindDN = quan.ta@example.com bindDNpassword = $1$+wRV4vhO24Mh charset = utf8 failsafeLogin = admin failsafePassword = $1$4jFX5/EG4Q== groupBaseDN = OU=xx,DC=example,DC=com; groupBaseFilter = objectclass=* groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = x.x.x.x pageSize = 800 port = 3268 (or 389) realNameAttribute = quanta userBaseDN = dc=example,dc=com; userBaseFilter = objectclass=* userNameAttribute = sAMAccountName[roleMap] admin = can_delete = power = user =Now, your statement about 'got no response' could be interpreted a couple of different ways, and since you (rightly so) obsfucated your domain controller settings before posting your conf file, I want to make sure that.... you are either targeting a specific domain controller with that ip.add, or you targeted the domain name and all of your domain controllers are reachable from your Splunk server over 389. Please do not use 3268...that is Global Catalog, and while it does represent a subset of AD, it is not the domain bind point. From your Splunk server, use the ldp.exe application to connect and bind to the same server represented by x.x.x.x in your conf file, using the same account as in the conf file. However, you should not use your own account there....create a service account without any additional privileges. You only have to bind to AD; you don't need admin rights to authenticate a user. Confirm that you can connect, bind, and browse to the OU containing your user accounts using ldp.exe, and let me know the outcome. For anyone not familiar with ldp.exe, here is a link to a pretty good, quick overview. http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm Cheers, Ed Hi Quanta,
First, I am going to post what you had at the Splunk forum for anyone else to review.
Here is my authentication.conf file:

[authentication]
authSettings = LDAP auth to AD
authType = LDAP

[LDAP auth to AD]
SSLEnabled = 0
bindDN = quan.ta@example.com
bindDNpassword = $1$+wRV4vhO24Mh
charset = utf8
failsafeLogin = admin
failsafePassword = $1$4jFX5/EG4Q==
groupBaseDN = OU=xx,DC=example,DC=com;
groupBaseFilter = objectclass=*
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host = x.x.x.x
pageSize = 800
port = 3268 (or 389)
realNameAttribute = quanta
userBaseDN = dc=example,dc=com;
userBaseFilter = objectclass=*
userNameAttribute = sAMAccountName

[roleMap]
admin =
can_delete =
power =
user =

Now, your statement about ‘got no response’ could be interpreted a couple of different ways, and since you (rightly so) obsfucated your domain controller settings before posting your conf file, I want to make sure that….
you are either targeting a specific domain controller with that ip.add, or you targeted the domain name and all of your domain controllers are reachable from your Splunk server over 389.
Please do not use 3268…that is Global Catalog, and while it does represent a subset of AD, it is not the domain bind point.
From your Splunk server, use the ldp.exe application to connect and bind to the same server represented by x.x.x.x in your conf file, using the same account as in the conf file. However, you should not use your own account there….create a service account without any additional privileges. You only have to bind to AD; you don’t need admin rights to authenticate a user. Confirm that you can connect, bind, and browse to the OU containing your user accounts using ldp.exe, and let me know the outcome.
For anyone not familiar with ldp.exe, here is a link to a pretty good, quick overview. http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm
Cheers,
Ed

]]> By: quantahttp://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/comment-page-1/#comment-89 quanta Tue, 19 Jan 2010 11:00:17 +0000 http://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/#comment-89 Hi edfisher,Thanks for your help.a) I already tried set port to 389 (You can see it in my previous post). b) I am sure. (and to more sure I have added available roles to "all" group) c) I tried but still get "Invalid user or password" error.I also tried to using Wireshark on AD server with filter option "src host and dst port 389 or 3268" but I got no response. Hi edfisher,

Thanks for your help.

a) I already tried set port to 389 (You can see it in my previous post).
b) I am sure. (and to more sure I have added available roles to “all” group)
c) I tried but still get “Invalid user or password” error.

I also tried to using Wireshark on AD server with filter option “src host and dst port 389 or 3268″ but I got no response.

]]> By: Ed Fisherhttp://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/comment-page-1/#comment-77 Ed Fisher Fri, 15 Jan 2010 12:59:26 +0000 http://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/#comment-77 Quanta, Hi Quanta, Check the following and let me know by reply here or at http://www.splunk.com/support/forum:SplunkGeneral/674/12637#post (preferably both.) I wish you had posted as much detail here as in the Splunk forum, but the pingback let me find you :-)That you can see all the groups listed is great! That's the hard part, so now we just need to get your user login squared away.a) set your port to 389. b) confirm that your user account is a member of the group you added the roles to c) try logging on only as quan.ta, omitting the domain.Keeping fingers crossed for you. Ed Quanta,
Hi Quanta,
Check the following and let me know by reply here or at http://www.splunk.com/support/forum:SplunkGeneral/674/12637#post (preferably both.) I wish you had posted as much detail here as in the Splunk forum, but the pingback let me find you :-)

That you can see all the groups listed is great! That’s the hard part, so now we just need to get your user login squared away.

a) set your port to 389.
b) confirm that your user account is a member of the group you added the roles to
c) try logging on only as quan.ta, omitting the domain.

Keeping fingers crossed for you.
Ed

]]> By: quantahttp://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/comment-page-1/#comment-76 quanta Thu, 14 Jan 2010 07:25:55 +0000 http://retrohack.com/howtoconfigure-splunk-to-use-ad-groups/#comment-76 Hi,At step 5, I can see all the groups in my OU. After that, I added all available roles to the group I want. Save, logout and restart Splunk (for sure) but I cannot log on with my domain account (example.com\quan.ta or example\quan.ta). Can you help me? Hi,

At step 5, I can see all the groups in my OU. After that, I added all available roles to the group I want. Save, logout and restart Splunk (for sure) but I cannot log on with my domain account (example.com\quan.ta or example\quan.ta). Can you help me?

]]>