I've configured my Splunk setup to use LDAP, and it shows the few users I've configured to meet my criteria in the list (see http://imgur.com/l5iTu)
If, however, I try to log on using the correct LDAP credentials, I receive "Invalid username and password" error. If after that I log in as admin again, the user I attempted to log in as has disappeared from the list (see http://imgur.com/tUIDz)
EDIT: Resynching the user list via the manager causes the username to reappear (curiouser and curiouser)
I'm running on an Enterprise License (albeit it a trial one) -- there aren't any policy reasons why this behaviour would occur, are there?
EDIT #2: Here's my authentication.conf:
[authentication] authSettings = mycompany LDAP authType = LDAP [mycompany LDAP] SSLEnabled = 0 bindDNpassword = $1$sQ== charset = utf8 groupBaseDN = ou=Group,dc=mycompany,dc=com groupBaseFilter = (cn=splunk*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.int.mycompany.com port = 389 realNameAttribute = displayname userBaseDN = dc=mycompany,dc=com userBaseFilter = (ou=People) userNameAttribute = uid [roleMap] admin = splunk-admin splunk-admin = splunk-admin splunk-dev-viewers = splunk-dev-viewers splunk-ops-viewers = splunk-ops-viewers splunk-report-builders = splunk-report-builders splunk_qa_viewers = splunk-qa-viewers user = People;splunk-admin;splunk-dev-viewers;splunk-ops-viewers;splunk-qa-viewers;splunk-report-builders
And here's my LDAP entry as an example:
# andrewn, People, mycompany.com dn: cn=andrewn,ou=People,dc=mycompany,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: andrewn uid: andrewn givenName: Andrew sn: Nicholson homeDirectory: /home/andrewn gecos: Andrew Nicholson l: Melbourne st: Victoria uidNumber: xxxx displayName: Andrew Nicholson mail: firstname.lastname@example.org employeeType: Employee gidNumber: xxxxx loginShell: /bin/bash shadowLastChange: xxxxx
And one of our LDAP groups:
# splunk-admin, Group, mycompany.com dn: cn=splunk-admin,ou=Group,dc=mycompany,dc=com cn: splunk-admin objectClass: groupOfNames objectClass: top description: Splunk Administrators member: cn=xxxxxxx,ou=People,dc=mycompany,dc=com member: cn=andrewn,ou=People,dc=mycompany,dc=com member: cn=xxxxxxxx,ou=People,dc=mycompany,dc=com
It could be that groupBaseDN is properly configured, but the userBaseDN is not. Support has seen issues with users disappearing in the manner you describe in the past.
Take a look at the following url:
Review the 'Test your LDAP configuration' section. This should be helpful in pointing out whatever variance may exist between groupBaseCN and userBaseDN.
Based on what I see in your configuration, I would suggest a couple of changes to authentication.conf: