The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkAdministration: How to Get ActiveDirectory Authentication Method?

Previous Topic: Splunklightforwarder to index  |   Next Topic: Changing sourcetype based on the SourceName in WinEventLog:Application


Posts 1–3 of 3
1
posted by: mkinner  |  posts
date: January 26, 2010
permalink

On our 3.4.9 server if you go to Admin -> Server -> Authentication Configuration there are three options available in the “Set authentication method” drop down box. They are Splunk, LDAP and ActiveDirectory. We use ActiveDirectory and it works fine.

I am setting up a test 3.4.9 system. On the test system the “Set authentication method” drop down box does not list ActiveDirectory as an option. How do I get the ActiveDirectory option?

Alternatively, I copied over the authentication.conf file from production to the test server, restart Splunk, but that fails. The splunkd.log indicates “Bind failed '49' 'Invalid credentials'”, and the corresponding Windows AD security log confirms authentication failed. However, I know the syntax is correct because it works on another server, and I also know the credentials are good. I must be missing something. Please help!

2
posted by: gkanapathy  |  posts
date: January 26, 2010
permalink

Your credentials are invalid when moved to another server because each server generates its own encryption key. So the encrypted password in the copied file won't work. you can just edit the file and put the cleartext password in, or retype it in the GUI, or just recreate the entire authentication method manually by retyping the same values in the new system.

3
posted by: mkinner  |  posts
date: January 27, 2010
permalink

Thank you gkanapathy! The information you provided got me on track. However, there were two areas that derailed me and I thought I would share for the benefit of others. I may have also identified a bug.

1 - When LDAP is setup you must provide an "LDAP strategy name", which is some arbitrary name. After you save your settings this name is displayed in the "Set autthentication method" drop down box. So now along with the authentication method of Splunk and LDAP you have your added "LDAP stategy name". In our case the arbitrary name given was ActiveDirectory. I thought this was another authentication method, but instead it is more of an LDAP saved subset. For someone viewing this who didn't set it up it can be confusing. I propose the GUI could better reflect the setup.

2 - After LDAP is setup the failsafe and binddn passwords are stored in the authentication.conf file. As pointed out by gkanapathy, the password is encrypted. However, I was certain it was stored in clear text and I had the correct password because I could log in using the credentials in authentication.conf. This means that you can actually log in using the actual password or the encrypted key. This confused me, but it also seems to me this is a flaw. What is the point of encrypting it if you can log in using the encrypted key?

Furthermore, on our two Splunk servers I used the same failsafe username and password entered via the web GUI. Both of the passwords are stored in authentication.conf, and are encrypted and different. However, I can log into the test server using password and either of the two encrypted keys. This again appears to be flaw, although not being an expert in this area maybe I am just missing something.