Configuring Splunk Access Controls with LDAP

Configuring Splunk access controls with LDAP can be a challenge to get all the proper settings to successfully connect and then again to obtain the proper groups that have been configured. The use of Splunk LDAP browsing utilities, such as Linux LDAP search command and Windows LDAP browser, can be helpful in this venture rather than guessing or relying on default settings provided by documentation.

Server: www.zflexldap.com 
Port: 389
Bind DN: cn=ro_admin,ou=sysadmins,dc=zflexsoftware,dc=com
Bind Password: zflexpass

With the settings provided we can begin to configure the LDAP Access Controls by going to:
Setting ->  Access controls -> Authentiction method -> LDAP strategies > Add new

Figure 1 Access Control Settings

The first section is configuring the main LDAP connection with the settings provided.

Figure 2 Configure LDAP connection settings

The second section addresses configuring the User Settings. At this point is when utilizing an LDAP browser tool. There are various tools available for use for Windows and in this example zFLEX provides a Windows base tool zFLEX LDAP Browser. For Linux, there is the lpdapsearch command line tool which can be installed utilizing which we will use.  If the ldapsearch command is not installed, you install it via yum: 

Figure 3 yum installation

Utilizing an LDAP browser tool can help us determine settings such as User base DN and User name attribute. These settings may not be apparent from the original configuration settings provided. Running an ldapsearch command as follows will help shed some light:

Figure 4 ldap search command 

From here we determine the User Base DN for admin from dn: ou=sysadmins,dc=zflexsoftware,dc=com and the User Name attribute will be uid. 

Figure 6 LDAP User Settings

The Group settings follows and we can continue to use this information to complete the configuration: 

Figure 7 LDAP Group Settings

At this point we should be able to save our configuration. This process will validate the LDAP connection and login. If any errors occur, review the settings with the ldapsearch output.

The next objective is to map LDAP groups to Splunk roles. Groups will need to be created within LDAP that contain user’s that pertain to that group.  For example, create a Security Admins group for security engineers and a group for Network Admins for network engineers.

Within the LDAP Strategies select Map Groups under Actions on the right side.

Figure 8 LDAP Strategies

Here we can see the groups that are available for mapping to Splunk roles.

Figure 9 LDAP Available Groups

 Select the group that you wish to map, here we will use an example of mapping ServerAdmin to the Splunk Admin Role.

We select the ServerAdmin Group and then select the Admin role in the Left column to add it to the Right Column. In the figure below you can see the LDAP Users contained within that group. 

Figure 10 LDAP Assigning Roles to Groups

 After saving you will see the roles assigned to that group:

Figure 11 LDAP Assigned Roles

Want to learn more about how to use Splunk? Check out the videos our engineers put together as educational resources!