Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

Configure LDAP with Splunk Web

This section describes how to configure LDAP through Splunk Web. If you want to configure LDAP by directly editing authentication.conf, see Configure LDAP with the configuration file.

There are three main steps to configuring LDAP with Splunk Web:

1. Create an LDAP strategy.

2. Map LDAP groups to Splunk roles.

3. Specify the connection order (for multiple LDAP servers only)

Create an LDAP strategy

To create an LDAP strategy:

1. Click Settings > Users and authentication > Access controls.

2. Click Authentication method.

3. Check LDAP.

4. Click Configure Splunk to use LDAP and map groups. This takes you to the LDAP strategies page.

5. Click New. This takes you to the Add new page.

6. Enter an LDAP strategy name for your configuration.

7. Enter the Host name of your LDAP server. Be sure that your Splunk Server can resolve the host name. Note: At this time, IPv6 address formats for Windows are not supported.

8. Enter the Port that Splunk Enterprise will use to connect to your LDAP server.

  • By default LDAP servers listen on TCP port 389.
  • LDAPS (LDAP with SSL) defaults to port 636.

9. To turn on SSL, check SSL enabled.

  • This setting is recommended for security.
  • You must also have SSL enabled on your LDAP server.

10. Enter the Bind DN.

  • This is the distinguished name used to bind to the LDAP server.
  • This is typically, but not necessarily, the administrator. This user needs to have read access to all LDAP user and group entries you want to retrieve.
  • Leave blank if anonymous bind is sufficient.

11. Enter and confirm the Bind DN password for the binding user.

12. Specify the User base DN. You can specify multiple user base DN entries by separating them with semicolons.

  • Splunk Enterprise uses this attribute to locate user information.
  • You must set this attribute for authentication to work.

13. Enter the User base filter for the object class you want to filter your users on.

  • This is recommended to return only applicable users. For example: (department=IT).
  • Default value is empty, meaning no user entry filtering.

14. Enter the User name attribute that contains the user name.

  • The username attribute cannot contain white spaces.
  • In Active Directory, this is typically sAMAccountName, but you can also authenticate on other attributes, like cn.
  • The value uid should work for most other configurations.

15. Enter the Real name attribute (common name) of the user.

  • Typical values are displayName or cn (common name).

16. Enter an Email attribute

17. Enter the Group mapping attribute.

  • This is the user attribute that group entries use to define their members.
  • The default is dn for active directory; set this attribute only if groups are mapped using some other attribute besides user DN.
  • For example, a typical attribute used to map users to groups is dn.

18. Enter the Group base DN. You can specify multiple group base DN entries by separating them with semicolons.

  • This is the location of the user groups in LDAP.
  • If your LDAP environment does not have group entries, you can treat each user as its own group:
    • Set groupBaseDN to the same value as userBaseDN. This means you will search for groups in the same place as users.
    • Next, set the groupMemberAttribute and groupMappingAttribute to the same attribute as userNameAttribute. This means the entry, when treated as a group, will use the username value as its only member.
    • For clarity, you should probably also set groupNameAttribute to the same value as userNameAttribute.

Note: For best results when integrating Active Directory, place your Group Base DN in a separate hierarchy than the User Base DN.

19. Enter the Static group search filter for the object class you want to filter your static groups on.

  • This is recommended to return only applicable groups. For example: (|(objectclass=groupofNames)(objectclass=groupofUniqueNames))
  • Default value is empty, meaning no static group entry filtering.

20. Enter the Group name attribute.

  • This is the group entry attribute whose value stores the group name.
  • This is usually cn.

21. Enter the Static member attribute.

  • This is the group attribute whose values are the group's members.
  • This is typically member, uniqueMember, or memberUid.

22. To expand nested groups, check Nested groups.

  • This controls whether Splunk Enterprise will expand nested groups using the 'memberof' attribute. Only check this if you have nested groups that leverage the 'memberof' attribute to resolve their members. On OpenLDAP, you need to explicitly enable the 'memberof' overlay.

23. Enter the Dynamic group search filter to retrieve dynamic groups, if any.

  • This must match the object class of your dynamic groups definition to ensure that those groups get returned to Splunk. For example: (objectclass=groupOfURLs)
  • Default value is empty, meaning Splunk Enterprise will not look for dynamic group entries during authentication and authorization.

24. Enter the Dynamic member attribute.

  • This is the group attribute that uses the form of an LDAP search URL (such as ldap:///o=Acme, c=US??sub?(objectclass=person) ) to define its members.
  • This is typically memberURL.

25. If you check Advanced settings, there are several additional options you can set:

  • Enable referrals with anonymous bind only.
    • This setting is on by default. Turn this off if you have no need for referrals.
    • Splunk can chase referrals with anonymous bind only. You must also have anonymous search enabled on your LDAP server.
    • If you are seeing long LDAP search timeouts (likely in Active Directory) and "Operations error" in splunkd.log for ScopedLDAPConnection, the issues might be related to referrals.
  • Search request size limit
    • To avoid performance-related issues, you can set the search request size limit. Splunk Enterprise will then request that the LDAP server return the specified maximum number of entries in response to a search request. In a large deployment with millions of users, setting this limit to a high value could result in a long response, depending on the search filter set in the LDAP strategy configuration. If this limit is reached, splunkd.log should contain a size limit exceeded message.
    • You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in Configure user session timeouts. If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
    • To set the request size limit higher than 1000, you must also edit max_users_to_precache in limits.conf to accomodate the number of users you set for your request size limit.
  • Search request time limit
    • To avoid performance-related issues, you can set the search request time limit. Splunk Enterprise will then request that the LDAP server complete its search within the specified number of seconds. In a large deployment with millions of users, setting this limit to a high value could cause Splunk Web to timeout. If this limit is reached, splunkd.log should contain a time limit exceeded message.
    • You should set the search request time limit and search request size limit values in conjunction with the splunkweb timeout property, described in Configure user session timeouts. If you have a group that is not showing up in the Splunk console, it was likely excluded due to one of these limits. Tune these properties as needed.
  • Network socket timeout
    • This property is used to break the loop in the authentication chain when one of the LDAP servers in a multiple strategy configuration is unreachable due to network congestion or otherwise takes too long to respond. After waiting the specified number of seconds, the authentication process will continue with the next available strategy, if any.
    • When an LDAP strategy is first created, Splunk Enterprise validates the LDAP server/port and other parameters. If the LDAP server is down or one of the parameters cannot be validated at that time, the LDAP strategy does not get created.

26. Click Save.

Map your new LDAP groups to Splunk roles

Once you have configured Splunk Enterprise to authenticate via your LDAP server, map your LDAP groups to Splunk roles. If you do not use groups, you can map users individually.

Note: You can map either users or groups, but not both. If you are using groups, all users must be members of an appropriate group. Groups inherit capabilities from the highest level role they're a member of.

All users are visible in the Users page in Splunk Manager. To assign roles to groups in Splunk Web:

1. From the main menu, select System > Users and Authentication > Access Controls.

2. In the Access Controls page, click Authentication method.

3. Select the LDAP radio button then click Configure Splunk to use LDAP and map groups. This takes you to the LDAP strategies page.

4. Click Map groups in the Actions column for a specific strategy. This takes you to the LDAP Groups page. You can use the search field in the upper right corner of the page to qualify the list of groups; for example, to search for groups containing specific users.

5. Click on a group name. This takes you the mapping page, which includes a list of available roles and a list of LDAP users for that group.

6. To map a role to a group, click the arrow to the left of a role in the "Available Roles" list. This moves the group into the "Selected Roles" list. You can map multiple roles to the group.

7. Click Save. This takes you back to the LDAP Groups page.

8. Repeat the process for each group that you want to assign Splunk roles to.

Specify the server connection order

If you have enabled multiple LDAP strategies, you can specify the order in which Splunk Enterprise searches their servers to find a user, as described in How Splunk works with multiple LDAP servers.

By default, Splunk Enterprise searches the servers in the order in which they were enabled. To change the connection (search) order, you need to edit the properties for each strategy individually:

1. From the main menu, select System > Users and Authentication > Access Controls.

2. Click Authentication method.

3. Select the LDAP radio button.

4. Click Configure Splunk to use LDAP and map groups. This takes you to the LDAP strategies page.

5. Click on the strategy whose connection order you want to specify. This takes you to the properties page for that strategy.

6. Edit the Connection order field near the top of the page. This field appears only if multiple strategies are enabled.

Note: The Connection order field does not appear when you initially create the strategy. It only appears when you later edit its properties. Also, the field will be grayed out if the strategy has been disabled.

7. Click Save.

8. Repeat the process for any other enabled strategy whose connection order you want to change.

PREVIOUS
How Splunk Enterprise works with multiple LDAP servers
  NEXT
Map LDAP groups to Splunk roles in Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.2.0


Comments

1. Click Settings > Users and authentication > Access controls
This is not correct. It should be
1. Click Settings > Access controls > Users and authentication

Yahuja splunk, Splunker
April 12, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters