LDAP Authentication
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
LDAP Authentication
Splunk supports authentication via its internal authentication server or your existing LDAP v3 server. You can configure multiple LDAP servers (defined as an Authentication Strategy) but Splunk supports only using one at a time.
Configure your Authentication Strategy
In the Admin section under the Server tab > Authentication Configuration page set the drop-down to the name of the Authentication Strategy that Splunk should be using.
By default there are two values:
- Splunk
- LDAP
Selecting LDAP will allow you to configure a new LDAP Authentication Strategy
Configure Splunk to use your LDAP server
These are the steps that you need to follow in order to successfully configure Splunk to use your existing LDAP infrastructure:
- Set the Authentication Strategy to LDAP
- Define a name for this LDAP configuration. This name will be added to the Set Authentication Strategy drop-down and cannot be LDAP
- Specify the hostname of your LDAP server. Be sure that your Splunk Server can resolve the host name
- Specify the port that Splunk should use to connect to your LDAP server. By default LDAP servers listen on TCP port 389
- Specify the distinguished name to bind to the LDAP server with; typically the administrator or manager user
- Specify the password of the of the user Splunk is using to bind to the LDAP server
- Specify the search base that Splunk should use when looking user and group information up.
- Specify the attribute that defines the user name. The standard OpenLDAP/Possix value is
uid- IMPORTANT: The username attribute cannot contain whitespace. The username is case sensitive
Specify the attribute that defines the real name (also referred to as the common name) of the user. The standard OpenLDAP/Possix value is cn
- Specify the attribute that defines the group name. The standard OpenLDAP/Possix value is
gid - Specify the attribute that defines the group membership. The standard OpenLDAP/Possix value is
member - Specify a failsafe user name. This user will allow you to authenticate into Splunk in the event that your LDAP server is unreachable.
- IMPORTANT: This user has admin privileges on the Splunk install
- Specify a password for your failsafe user.
Determining your User and Group Base DN
The distinguished name(s) is the location in the directory where authentication information is stored. If all information is contained in each user's entry, then these distinguished names must be the same. If group membership information for users is kept in a separate entry, then supply a separate distinguished name.
This allows flexibility in configuration and prevents Splunk from having to extend the LDAP schema.
Examples Case 1: User entries in the directory have both password and group membership stored in them. User entry DNs are of the form userid=bjensen,ou=People,o=MyCo.
userBaseDN = ou=People,o=MyCo
groupBaseDN = ou=People, o=MyCo
Case 2: Group membership information is kept in a separate entry from the user entries. User entry DNs are of the form userid=bjensen,ou=People,o=MyCo and group information is stored at gid=Users,ou=Groups,o=MyCo
userBaseDN = ou=People,o=MyCo
groupBaseDN = ou=Groups,o=MyCo
Mapping existing LDAP groups to Splunk Roles
Once you have configured your Splunk Server to authenticate via your LDAP server you will need to map your existing LDAP groups to Splunk's user role levels.
Under the Users Tab you will see all of your users and groups. Click the Edit link next to the appropriate user or group and define the Splunk role
Testing your LDAP configuration
If you find that your Splunk install is not able to successfully connect to your LDAP server there are a few troubleshooting steps that you can perform:
- Check your $SPLUNK_HOME/var/log/splunk/splunkd.log for any authentication errors
- Perform an ldapsearch to test that the variables you are specifying will work:
ldapsearch -h "<host>" -p "<port>" -b "<userBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>" ldapsearch -h "<host>" -p "<port>" -b "<groupBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>"
This documentation applies to the following versions of Splunk: 2.2 , 2.2.1 , 2.2.3 , 2.2.6 View the Article History for its revisions.