Forums: SplunkAdministration: Authenticating against Apple's Open directory

Hi all,
I'm test driving the new 4.0.2 and having some trouble getting our LDAP setup working. I have correctly entered our user dn and group dn, as well as the administrator password for LDAP searches. I've validated our connection with the following commands.

ldapsearch -x -h 10.0.1.11 -b "cn=users, dc=foo, dc=local" -D "uid=diradmin,cn=users,dc=foo, dc=local" -W

and

ldapsearch -x -h 10.0.1.11 -b "cn=groups, dc=foo, dc=local" -D "uid=diradmin,cn=users,dc=foo, dc=local" -W

I've then mapped the LDAP group "admin" to have all the splunk roles. I'm a member of group admin and the attribute on the group entry is "memberUid" which maps to the user's "uid". These settings work fine for redmine, but whenever I try to log in I only get the following output in the logs.

08-06-2009 16:23:11.369 ERROR authenticationManagerLDAP - Unable to find user 'toddnine', please check user mappings.
08-06-2009 16:23:11.369 ERROR UserManager - Auth check failed for user 'toddnine'

Is there any way I can turn on a more verbose logging to see exactly what it's failing to find?

Thanks,
Todd

[Revised on Wed, 05 Aug 2009 21:38:30 -0700]

Here are my config settings

[authentication]
authSettings = OpenDirectoryLDAP
authType = LDAP
[OpenDirectoryLDAP]
SSLEnabled = 0
bindDN = uid=diradmin,cn=users,dc=foo,dc=local
bindDNpassword = <removed>
failsafeLogin = admin
failsafePassword = <removed>
groupBaseDN = cn=groups,dc=foo,dc=local;
groupBaseFilter =
groupMappingAttribute = uid
groupMemberAttribute = memberUid
groupNameAttribute = cn
host = 10.0.1.11
pageSize = 800
port = 389
realNameAttribute = cn
userBaseDN = cn=users,dc=foo,dc=local;
userBaseFilter =
userNameAttribute = uid
[roleMap]
admin = admin;
can_delete = admin;
power = admin;powerusers;
user = admin;powerusers;users;

Here is my user's ldap entry

Distinguished Name: uid=toddnine,cn=users,dc=spidertracks,dc=local
Login Name: toddnine
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
Full Name: Todd Nine
userPassword:
givenName: Todd
Email: todd@spidertracks.co.nz
Last Name: Nine

Here's my admin group's entry

1. admin, groups, spidertracks.local

dn: cn=admin,cn=groups,dc=spidertracks,dc=local
cn: admin
apple-group-realname: Open Directory Administrators
gidNumber: 80
memberUid: root
memberUid: diradmin
memberUid: jamesmccarthy
memberUid: toddnine
apple-generateduid: 3BEBE8D7-3813-4B0F-91ED-BC1635EBB0FC
apple-group-memberguid: FAB6F347-C4EE-44C5-B80F-E6DDBA0B390D
apple-group-memberguid: C4364E7C-F93B-4F2B-971C-077DD27F2F86
apple-group-memberguid: C819DE4B-1218-4601-9E5E-80670C288408
apple-group-memberguid: 1C5E06B4-4565-4238-9765-B10797CBADC0
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject

Hi Todd,

I see a few issue with your configuration currently:

1) Try setting the value of groupMappingAttribute to dn
2) I don't see uid attribute in your user entry. If the attribute doesn't exist in your entry, it should not be used in the config - doublecheck the value you are using for username.
3) I also don't see the cn attribute in your user entry. (Perhaps you didn't post the complete entry?) If the entry actually does not contain the cn attr, try setting the value of realNameAttribute to FullName.

You can enable DEBUG logging for 'authenticationManagerLDAP' from the UI (Manager >> System Logging).

If you continue to have issues with the configuration, please open a ticket by sending email to support@splunk.com. Provide the local/authentication.conf file and the splunkd.log containing the DEBUG log lines.

Tina