Splunk and Active Directory Nested Groups for Authorization

Starting from Splunk 4.3, customers can configure multiple LDAP repositories for authentication and authorization.  Multiple LDAP strategies  are now tested and supported for Authn/Authz using the following commercial and OpenSource LDAP servers.

  • Microsoft Active Directory 2008R2/2003
  • Oracle Directory Server Enterprise Edition
  • OpenLDAP 2.4
  • OpenDS 2.2

In Splunk 4.3+, a LDAP strategy can be configured to support authentication and authorization by leveraging standard LDAP groups including

  • Static groups with member attribute
  • Static groups with uniquemember attribute
  • Dynamic groups with memberURL
  • OpenLDAP Nested groups with static/dynamic groups
  • Active Directory Nested groups

In this post let me walk you through the process of creating the strategy and configuring it for  nested group based authorization.  In order follow this you should be familiar with the Active Directory(AD) concepts, You need to have a AD server with appropriate nested groups. Creating and assigning members are part of your organization’s IT policies. Splunk will just consume the membership associations as configured in AD server.

In the default factory settings creating a LDAP strategy does not automatically enable the nested groups support for authorization. You have to explicitly check the box labeled “Nested groups”

If you have not checked  this box during LDAP strategy creation then nested group members will not participate in the authorization process, Also the members of nested groups will not show up in the Splunkweb.

Nested group is a LDAP feature not every vendor support this, Splunk has been tested with Microsoft Active Directory and OpenLDAP implementation of nested groups.  In my testing I have used following group definitions to use with Splunk for authz.

Static Group  named “Developer Group” with two members identified with member attribute

dn: CN=Developer Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
objectClass: top
objectClass: group
cn: Developer Group
member: CN=kavin indirajith,CN=Users,DC=qa,DC=ad2008r2,DC=com
member: CN=Chandana Rangavajhala,CN=Users,DC=qa,DC=ad2008r2,DC=com
distinguishedName: CN=Developer Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
instanceType: 4
whenCreated: 20110820024354.0Z
whenChanged: 20110909160854.0Z
uSNCreated: 50606
uSNChanged: 1135228
name: Developer Group
objectGUID:: l1HIUi2AYkq7E39ZIWwe5g==
objectSid:: AQUAAAAAAAUVAAAAlhfxuiwg3PxcHIjeWAQAAA==
sAMAccountName: Developers
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=qa,DC=ad2008r2,DC=com
dSCorePropagationData: 16010101000000.0Z

Static group named “QA Group” with one member

dn: CN=QA Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
objectClass: top
objectClass: group
cn: QA Group
description: this is my group no
member: CN=Indira thangasamy,CN=Users,DC=qa,DC=ad2008r2,DC=com
distinguishedName: CN=QA Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
instanceType: 4
whenCreated: 20110820024421.0Z
whenChanged: 20111006175115.0Z
uSNCreated: 50610
uSNChanged: 1147746
name: QA Group
objectGUID:: OSdVaVzHYEqYvCcvtr3SWw==
objectSid:: AQUAAAAAAAUVAAAAlhfxuiwg3PxcHIjeWQQAAA==
sAMAccountName: QA Group
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=qa,DC=ad2008r2,DC=com
dSCorePropagationData: 16010101000000.0Z

And a third group that compasses  both of the above two groups, in essence by just having the following group in the mapping, users from the QA group and Developer group can be authorized. There is no need to map the above  static groups to a corresponding Splunk role. Mapping the “Nested Eng Group” will implicitly authorize users from the Developer and QA groups, as they are members of the nested group.

dn: CN=Nested Eng Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
objectClass: top
objectClass: group
cn: Nested Eng Group
member: CN=Jeff Chapman,CN=Users,DC=qa,DC=ad2008r2,DC=com
member: CN=QA Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
member: CN=Developer Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
distinguishedName: CN=Nested Eng Group,OU=groups,DC=qa,DC=ad2008r2,DC=com
instanceType: 4
whenCreated: 20110820024512.0Z
whenChanged: 20111006175334.0Z
uSNCreated: 50616
uSNChanged: 1147752
name: Nested Eng Group
objectGUID:: el/rfCQC8EKG1Ti1t90KEw==
objectSid:: AQUAAAAAAAUVAAAAlhfxuiwg3PxcHIjeWgQAAA==
sAMAccountName: Nested Eng Group
sAMAccountType: 268435456
groupType: -2147483646
objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=qa,DC=ad2008r2,DC=com
dSCorePropagationData: 16010101000000.0Z

With this settings, when you try to map the groups for this LDAP strategy, all the groups will show up in the console regardless of whether you enabled the nested group or not as shown below.

The effect of not checking the Nested Group check box in the LDAP strategy creation page will show up in the actual member display during the mapping process. For example when you click on the Nested Eng Group , this is what you would see

As you can see  the actual group members are showing up instead of the actual user identity members, this is because splunk did not try to resolve the membership relations of the group member as instructed by the configuration. It is expected due to the configuration parameter  nestedGroups=0, that is nested group support disabled.  Once you enable the nested group support, you would be able to see the groups will resolve in to their respective members as shown here

The members of the static groups QA group and Developer group is started showing up in this page from the Splunkweb. If this is showing up then all the likely your authz process will go through successfully.  After enabling nested group support here is how my etc/system/local/authentication.conf

authSettings = ad
authType = LDAP
SSLEnabled = 0
anonymous_referrals = 1
bindDN = cn=directory manager,cn=users,dc=qa,dc=ad2008r2,dc=com
bindDNpassword = $1$wHbye/InxhNY
charset = utf8
groupBaseDN = ou=groups,dc=qa,dc=ad2008r2,dc=com
groupMappingAttribute = dn
groupMemberAttribute = member
groupNameAttribute = cn
host =
nestedGroups = 1
network_timeout = 20
port = 389
realNameAttribute = cn
sizelimit = 1000
timelimit = 15
userBaseDN = cn=users,dc=qa,dc=ad2008r2,dc=com
userNameAttribute = samaccountname
admin = Nested Eng Group

In this case Nested Eng Group is ,mapped to ‘admin‘ splunk role.  So all the members of all of three groups will be able to access the Splunkweb administrator page.  It is very useful to find out the memberships using the ldapsearch command. For example

ldapsearch -x -h adhost -p 389 -D"cn=directory manager,cn=users,dc=qa,dc=ad2008r2,dc=com
" -w passwd  -b"dc=qa,dc=ad2008r2,dc=com" "(&(objectclass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=Nested Eng Group,OU=groups,DC=qa,DC=ad2008r2,DC=com))" samaccountname
# Indira thangasamy, Users,
dn: CN=Indira thangasamy,CN=Users,DC=qa,DC=ad2008r2,DC=com
sAMAccountName: ithangasamy
# Chandana Rangavajhala, Users,
dn: CN=Chandana Rangavajhala,CN=Users,DC=qa,DC=ad2008r2,DC=com
sAMAccountName: crangavajhala
# kavin indirajith, Users,
dn: CN=kavin indirajith,CN=Users,DC=qa,DC=ad2008r2,DC=com
sAMAccountName: kavin
# Jeff Chapman, Users,
dn: CN=Jeff Chapman,CN=Users,DC=qa,DC=ad2008r2,DC=com
sAMAccountName: jeff

you see all the users from all three groups are showing up . Right now no extensive testing has been done with groups in a forest deployment or using a catalog port.  This may be done in the forthcoming versions.

You can easily create the LDAP strategy using the REST end points. Following curl command creates the  LDAP strategy with nested group support turned on.

curl -k  -u admin:changeme  -d "name=ActiveDirectory" -d "nestedGroups=1"   \
--data-urlencode "bindDN=cn=directory manager,cn=users,dc=qa,dc=ad2008r2,dc=com"  \
-d "bindDNpassword=secret"  \
--data-urlencode "groupBaseDN=cn=users,dc=qa,dc=ad2008r2,dc=com" \
 -d "groupMappingAttribute=dn" \
 -d"groupMemberAttribute=member" -d"groupNameAttribute=cn" -d""\
-d "port=389" -d "realNameAttribute=cn"  \
--data-urlencode  "userBaseDN=cn=users,dc=qa,dc=ad2008r2,dc=com" \
-d "userNameAttribute=samAccountName"  \


Posted by


Join the Discussion