Splunk - LDAP Integration - AuthenticationManagerLDAP Couldn't find matching groups and UserManagerPro - LDAP Login failed / none are mapped to Splunk
Splunk 7.0.2
Instead of creating Splunk internal users, I'm trying to integrate LDAP in Splunk but getting the following error message (tail -f splunkd.log)
05-02-2018 23:17:08.235 +0000 ERROR AuthenticationManagerLDAP - Couldn't find matching groups for user="1122345". Search filter="(cn=CN=Nooka\5C, Chuck,OU=Users,OU=Ov)" strategy="Centrify-Based-LDAP"
05-02-2018 23:17:08.235 +0000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="1122345" on any configured servers
05-02-2018 23:17:08.236 +0000 ERROR UiAuth - user=1122345 action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.ientip=137.11.121.234
I referred the documentation but it didn't help much. http://docs.splunk.com/Documentation/Splunk/7.0.3/Security/ConfigureLDAPwithSplunkWeb Tried some other posts here or online with various values for LDAP settings (fields etc) but still getting the error
Snapshot of LDAP settings are:
After a bit of digging, I was able to solve it.
Solution steps:
1) Changed the Static member attribute field under Group Settings to member
Doing that, the error (per my post) was resolved but I got another error but it was more like a hint what I had to next.
ERROR AuthenticationManagerLDAP user X has matching LDAP groups with strategy Y, but none are mapped to Splunk
05-02-2018 23:49:59.343 +0000 ERROR AuthenticationManagerLDAP - user="1122345" has matching LDAP groups with strategy="Centrify-Based-LDAP", but none are mapped to Splunk
05-02-2018 23:49:59.343 +0000 ERROR UserManagerPro - LDAP Login failed, could not find a valid user="1122345" on any configured servers
05-02-2018 23:49:59.343 +0000 ERROR UiAuth - user=1122345 action=login status=failure reason=user-initiated useragent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.ientip=137.11.121.234
2) To solve this new / above error, as it was obvious, I had to go to Splunk as admin or any other elevated user who can perform the following sub-steps:
a) From the top menu bar, click on Settings > Access Control (under USERS and AUTHENTICATION) > Authentication Method > LDAP Settings (under External - LDAP radio button selected) and that took me to this page
b) Click on Map groups (under Actions) > Click on the team-group i.e. in my case, the value listed there for the name of the LDAP group (under LDAP Group Name) header.
That took me to this page, where you can double click on the available inbuilt or custom created roles (in Splunk) from the left "Available Roles" box to copy them to the right side box "Selected Roles" and click Save.
PS: I granted both "user" and "power" role to the LDAP group, but you can just give "user" if you want to.
c) Retried login as my ID and LDAP password and it worked!!
d) NOTE: After the above LDAP settings, some users were able to login via their LDAP credentials (ex: userID 11223344) but few others couldn't (ex: userID hira12345). The users who couldn't login successfully had different User base DN values different than the one who were able to login successfully. To fix that, I had to change the User Base DN value to exclude the first 2 top level OU=.. values, there after I added the following configuration (as shown below - image screenshot); Now, all users are now able to successfully log in.
You can also tweak the value inside Group Base DN field, to keep only 'DC=xxx,DC=yyy' i.e. set a more common search path (set inside LDAP for most of the users (employees/contractors/etc) in your company).
That way, Splunk's LDAP configuration for 'mapping' a group, will list more LDAP Group Names.
You can find that information by running the following ldapsearch command, to find what's that common value for every user id. Look for lines which contains memberOf: or dn: or distinguishedName:. The most important one is memberOf:.
Ex: ldapsearch command, where $p contains the password for CN=..user.. listed below. You can keep any level, sub-level in the command below acc. to your needs.
ldapsearch -D "CN=someServiceAccountAuthenticationUser,OU=Admin_Account,OU=Users,OU=top1,DC=level1,DC=level2,DC=level3" -w $p -p 389 -h myldap-server-ld01 -b "DC=level1,DC=level2,DC=level3" -s sub "put_a_valid_ldap_userID_here"
