Deployment Architecture
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to see all LDAP users under Access Controls?

pkeller
Contributor
‎11-10-2016 03:29 PM

Running Splunk 6.4.3 in a Search Head Cluster using AD/Ldap authentication.

A user contacted me about adding some capabilities. When I looked under: Access Controls -> Users, I could not find that the person's ID was visible. However when I search audit.log I see that he has logged in.

Additionally when I search: | rest /services/admin/users | search roles=his_role | stats values(realname) I see a list of about 365 names, (alphabetical by first name), which scrolls to the letter R or sometimes S, but seems to leave off the names towards the end of the alphabet.

So, I'm wondering if there's some sort of limit to the number of names that the rest call or the UI Access Controls module. As I mentioned at the top: The person, who's firstname starts with "V" can login, he's just not referenceable, so I can't look at his inherited roles and/or capabilities.

Thank you.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud

View solution in original post

Reply
Solved! Jump to solution
Solution

gjanders
SplunkTrust
SplunkTrust
‎11-10-2016 07:27 PM

As per sk314's comment, the user information is only visible for recently logged in users, and the information is stored per search head if your looking in the GUI, you will need to try each search head in your cluster if you are running a search head cluster.

The LDAP group to role mapping is normally quite straightforward so you can work it out without seeing it in the GUI.

Another trick I do is to create a local user and assign my local user the same roles as the LDAP user, therefore I can simulate any access issues they may have.

-
Alerts for Splunk Admins, Version Control for Splunk, Decrypt2 VersionControl For SplunkCloud
Reply
Solved! Jump to solution

sk314
Builder
‎11-10-2016 04:23 PM

Did you check this(Access Controls -> Users) on each member of your SH cluster? AFAIK - only the one that he connected to will have those details.

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...