The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: Authenticating against Apple's Open directory

Previous Topic: Search Browser time in UTC (timezone?)  |   Next Topic: Extract Text giving odd results


Posts 1–3 of 3
1
posted by: tnine  |  posts
date: August 5, 2009
permalink

Hi all,
I'm test driving the new 4.0.2 and having some trouble getting our LDAP setup working. I have correctly entered our user dn and group dn, as well as the administrator password for LDAP searches. I've validated our connection with the following commands.

ldapsearch -x -h 10.0.1.11 -b "cn=users, dc=foo, dc=local" -D "uid=diradmin,cn=users,dc=foo, dc=local" -W

and

ldapsearch -x -h 10.0.1.11 -b "cn=groups, dc=foo, dc=local" -D "uid=diradmin,cn=users,dc=foo, dc=local" -W

I've then mapped the LDAP group "admin" to have all the splunk roles. I'm a member of group admin and the attribute on the group entry is "memberUid" which maps to the user's "uid". These settings work fine for redmine, but whenever I try to log in I only get the following output in the logs.

08-06-2009 16:23:11.369 ERROR authenticationManagerLDAP - Unable to find user 'toddnine', please check user mappings.
08-06-2009 16:23:11.369 ERROR UserManager - Auth check failed for user 'toddnine'

Is there any way I can turn on a more verbose logging to see exactly what it's failing to find?

Thanks,
Todd

[Revised on Wed, 05 Aug 2009 21:38:30 -0700]

Here are my config settings

[authentication]
authSettings = OpenDirectoryLDAP
authType = LDAP
[OpenDirectoryLDAP]
SSLEnabled = 0
bindDN = uid=diradmin,cn=users,dc=foo,dc=local
bindDNpassword = <removed>
failsafeLogin = admin
failsafePassword = <removed>
groupBaseDN = cn=groups,dc=foo,dc=local;
groupBaseFilter =
groupMappingAttribute = uid
groupMemberAttribute = memberUid
groupNameAttribute = cn
host = 10.0.1.11
pageSize = 800
port = 389
realNameAttribute = cn
userBaseDN = cn=users,dc=foo,dc=local;
userBaseFilter =
userNameAttribute = uid
[roleMap]
admin = admin;
can_delete = admin;
power = admin;powerusers;
user = admin;powerusers;users;

Here is my user's ldap entry

Distinguished Name: uid=toddnine,cn=users,dc=spidertracks,dc=local
Login Name: toddnine
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
Full Name: Todd Nine
userPassword:
givenName: Todd
Email: todd@spidertracks.co.nz
Last Name: Nine

Here's my admin group's entry

  1. admin, groups, spidertracks.local

dn: cn=admin,cn=groups,dc=spidertracks,dc=local
cn: admin
apple-group-realname: Open Directory Administrators
gidNumber: 80
memberUid: root
memberUid: diradmin
memberUid: jamesmccarthy
memberUid: toddnine
apple-generateduid: 3BEBE8D7-3813-4B0F-91ED-BC1635EBB0FC
apple-group-memberguid: FAB6F347-C4EE-44C5-B80F-E6DDBA0B390D
apple-group-memberguid: C4364E7C-F93B-4F2B-971C-077DD27F2F86
apple-group-memberguid: C819DE4B-1218-4601-9E5E-80670C288408
apple-group-memberguid: 1C5E06B4-4565-4238-9765-B10797CBADC0
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject

2
posted by: tphi  |  posts
date: August 6, 2009
permalink

Hi Todd,

I see a few issue with your configuration currently:

1) Try setting the value of groupMappingAttribute to dn
2) I don't see uid attribute in your user entry. If the attribute doesn't exist in your entry, it should not be used in the config - doublecheck the value you are using for username.
3) I also don't see the cn attribute in your user entry. (Perhaps you didn't post the complete entry?) If the entry actually does not contain the cn attr, try setting the value of realNameAttribute to FullName.

You can enable DEBUG logging for 'authenticationManagerLDAP' from the UI (Manager >> System Logging).

If you continue to have issues with the configuration, please open a ticket by sending email to support@splunk.com. Provide the local/authentication.conf file and the splunkd.log containing the DEBUG log lines.

Tina

3
posted by: tnine  |  posts
date: August 6, 2009
permalink

1) My attribute within the group that points to my username (toddnine) is "memberUid". What does setting it to dn actually do? I've tried this but it didnt' seem to help

2) Here's a more complete entry from ldapsearch . I know my user settings are correct as we have 2 other systems (redmine and apache for svn) authenticating against the user settings. The problem seems to be with the groups. Here is a more complete output for my user from ldapsearch.

  1. toddnine, users, spidertracks.local

dn: uid=toddnine,cn=users,dc=spidertracks,dc=local
uid: toddnine
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
apple-generateduid: 1C5E06B4-4565-4238-9765-B10797CBADC0
cn: Todd Nine
userPassword:: <removed>
uidNumber: 1029
gidNumber: 20

It works with my current settings. It just seems I needed to restart my splunk server, then everything worked as intended.