Four blog posts and three of them relate to LDAP. This must be a complicated topic! It can be and that is why I break it up into chunks that should be easier to digest.
This post will be short and sweet. I want to provide a few examples of userBaseFilters and groupBaseFilters that you can use in your configuration to make your Splunk experience, hopefully, better.
When you specify a userBaseDN or groupBaseDN without a filter, you are asking your LDAP server to return all entries residing beneath the specified baseDN. In 99.9999999999% of cases, you don’t actually want all entries. This is where *BaseFilter configuration comes in handy. Now, let’s go right to the examples:
If you’re using AD, you can use the following userBaseFilter to return ALL person-type entries that are NOT disabled (We can thank our friend Gerald K. for this one):
userBaseFilter = (&(objectcategory=person)(objectclass=user)(!(userAccountControl:1.2.840.1135184.108.40.2063:=2)))
A method that I have suggested is to use the memberOf attribute as a filter. If your user entries contain this attribute, it consists of the DN for the group that the user is a “member of”. In this following example I list out 3 memberOf values to filter on:
userBaseFilter = (|(memberOf=CN=Splunk Admins,OU=Groups,DC=splunksupport,DC=com)(memberOf=CN=Splunk Power Users,OU=Groups,DC=splunksupport,DC=com)(memberOf=CN=Splunk Users,OU=Groups,DC=splunksupport,DC=com))
Please feel free to comment with your own examples!