authentication.conf
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
authentication.conf
The following are the spec and example files for authentication.conf.
authentication.conf.spec
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.1.5
#
# This file contains possible attributes and values for configuring authentication via
# authentication.conf.
#
# There is an authentication.conf in $SPLUNK_HOME/etc/system/default/. To set custom configurations,
# place an authentication.conf in $SPLUNK_HOME/etc/system/local/. For examples, see
# authentication.conf.example. You must restart Splunk to enable configurations.
#
# To learn more about configuration files (including precedence) please see the documentation
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles
[authentication]
* Follow this stanza name with any number of the following attribute/value pairs.
authType = <string>
* Specify which authentication system to use.
* Currently available: Splunk, LDAP, Scripted.
* Defaults to Splunk.
authSettings = <string>
* Key to look up the specific configurations of chosen authentication system.
* <string> is the name of the stanza header [<authSettingsKey>].
* This is used by LDAP and Scripted Authentication.
#####################
# LDAP settings
#####################
[<authSettings-key>]
* Follow this stanza name with the following attribute/value pairs.
host = <string>
* REQUIRED - Hostname of LDAP server.
* Be sure that your Splunk server can resolve the host name.
SSLEnabled = <boolean>
* OPTIONAL - 0 for disabled (default)
* 1 for enabled.
* See the file $SPLUNK_HOME/etc/openldap/openldap.conf for SSL LDAP settings
port = <integer>
* OPTIONAL - The port that Splunk should use to connect to your LDAP server.
* Defaults to port 389 for non-SSL and port 636 for SSL
bindDN = <string>
* Distinguished name of the user that will be retrieving the LDAP entries
* This user needs to have read access to all LDAP users and groups you wish to use in Splunk.
* Optional, but usually required due to LDAP security settings.
* Leave this blank if your LDAP entries can be retrieved with anonymous bind
bindDNpassword = <string>
* Password for the bindDN user.
* Optional - leave this blank if anonymous bind is sufficient
userBaseDN = <string>
* REQUIRED - Distinguished names of LDAP entries whose subtrees contain the users
* Enter a ';' delimited list to search multiple trees.
userBaseFilter = <string>
* OPTIONAL - The LDAP search filter you wish to use when searching for users
* Highly recommended, especially when there are many entries in your LDAP user subtrees
* When used properly, search filters can significantly speed up LDAP queries
* Example that matches users in the IT or HR department:
* userBaseFilter = (|(department=IT)(department=HR))
* See RFC 2254 for more detailed information on search filter syntax
* This defaults to no filtering.
groupBaseDN = <string>
* REQUIRED - Distinguished names of LDAP entries whose subtrees contain the groups
* Enter a ';' delimited list to search multiple trees.
* If your LDAP environment does not have group entries, there is a configuration that can treat each user as its own group
* Set groupBaseDN to the same as userBaseDN, which means you will search for groups in the same place as users
* Next, set the groupMemberAttribute and groupMappingAttribute to the same attribute as userNameAttribute
* This means the entry, when treated as a group, will use the username value as its only member
* For clarity, you should probably also set groupNameAttribute to the same as userNameAttribute as well
groupBaseFilter = <string>
* OPTIONAL - The LDAP search filter you wish to use when searching for groups
* Like userBaseFilter, this is highly recommended to speed up LDAP queries
* See RFC 2254 for more information
* This defaults to no filtering
userNameAttribute = <string>
* REQUIRED - User entry attribute whose value is the username
* NOTE: This attribute should use case insensitive matching for its values, and the values should not contain whitespace
* Users are case insensitive in Splunk
* In Active Directory, this is 'sAMAccountName'
* A typical attribute for this is 'uid'
realNameAttribute = <string>
* REQUIRED - User entry attribute whose value is their real name (human readable)
* A typical attribute for this is 'cn'
groupMappingAttribute = <string>
* OPTIONAL - User entry attribute whose value is used by group entries to declare membership
* Groups are often mapped with user DN, so this defaults to 'dn'
* Set this if groups are mapped using a different attribue
* Usually only needed for OpenLDAP servers.
* A typical attribute used to map users to groups is 'uid'
* For example, assume a group declares that one of its members is 'splunkuser'
* This implies that every user with 'uid' value 'splunkuser' will be mapped to that group
groupNameAttribute = <string>
* REQUIRED - Group entry attribute whose value stores the group name
* A typical attribute for this is 'cn' (common name)
* Recall that if you are configuring LDAP to treat user entries as their own group, user entries must have this attribute
groupMemberAttribute = <string>
* REQUIRED - Group entry attribute whose values are the groups members
* Typical attributes for this are 'member' and 'memberUid'
* For example, consider the groupMappingAttribute example above using groupMemberAttribute 'member'
* To declare 'splunkuser' as a group member, its attribute 'member' must have the value 'splunkuser'
charset = <string>
* OPTIONAL - ONLY set this for an LDAP setup that returns non-UTF-8 encoded data. LDAP is supposed to always return UTF-8 encoded data (See RFC 2251), but some tools incorrectly return other encodings
* Follows the same format as CHARSET in props.conf (see props.conf.spec)
* An example value would be "latin-1"
#####################
# Map roles
#####################
[roleMap]
* Follow this stanza name with several Role to Group mappings as defined below.
<RoleName> = <LDAP group string>
* Maps a Splunk role (from authorize.conf) to LDAP groups
* This list is semi-colon delimited (no spaces).
* List several of these attribute value pairs to map all Splunk roles to Groups
#####################
# Scripted authentication
#####################
[<authSettings-key>]
* Follow this stanza name with the following attribute/value pairs:
scriptPath = <string>
* REQUIRED - Full path to the script, including the path to the program that runs it (python)
* ex: "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/etc/system/bin/$MY_SCRIPT"
* Note that if a path contains spaces, it must be quoted. Our example above handles the case where $SPLUNK_HOME contains a space
scriptSearchFilters = <boolean>
* OPTIONAL - Only set this to 1 to call the script to add search filters.
* 0 disables (default)
# Cache timing:
# Use these settings to adjust the maximum frequency at which Splunk calls your script functions per user.
# Caching is disabled by default
# All timeouts can be expressed in seconds or as a search-like time range
# Examples include '30' (30 seconds), '2mins' (2 minutes), '24h' (24 hours), etc.
[cacheTiming]
getUserInfoTTL = <time range string>
* Timeout for getUserInfo.
getUsersTTL = <time range string>
* Timeout for getUsers.
userLoginTTL = <time range string>
* Timeout for userLogin.
authentication.conf.example
# Copyright (C) 2005-2010 Splunk Inc. All Rights Reserved. Version 4.1.5 # # This is an example authentication.conf. Use this file to configure LDAP or toggle between LDAP # and Splunk's native authentication system. # # To use one or more of these configurations, copy the configuration block into authentication.conf # in $SPLUNK_HOME/etc/system/local/. You must restart Splunk to enable configurations. # # To learn more about configuration files (including precedence) please see the documentation # located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles # Use Splunk's built-in authentication: [authentication] authType = Splunk ##### LDAP examples #### Basic LDAP configuration example [authentication] authType = LDAP authSettings = ldaphost [ldaphost] host = ldaphost.domain.com port = 389 SSLEnabled = 0 bindDN = cn=Directory Manager bindDNpassword = password userBaseDN = ou=People,dc=splunk,dc=com userBaseFilter = (objectclass=splunkusers) groupBaseDN = ou=Groups,dc=splunk,dc=com groupBaseFilter = (objectclass=splunkgroups) userNameAttribute = uid realNameAttribute = givenName groupMappingAttribute = dn groupMemberAttribute = uniqueMember groupNameAttribute = cn # This stanza maps roles you have created in authorize.conf to LDAP Groups [roleMap] admin = SplunkAdmins #### Sample Configuration for Sun LDAP Server [authentication] authSettings = SunLDAP authType = LDAP [SunLDAP] SSLEnabled = 0 bindDN = cn=Directory Manager bindDNpassword = Directory_Manager_Password groupBaseDN = ou=Groups,dc=splunksupport,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = uniqueMember groupNameAttribute = cn host = ldapbogus.splunksupport.com port = 389 realNameAttribute = givenName userBaseDN = ou=People,dc=splunksupport,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid [roleMap] admin = SplunkAdmins power = SplunkPowerUsers user = SplunkUsers #### Sample Configuration for Active Directory [authentication] authSettings = AD authType = LDAP [AD] SSLEnabled = 0 bindDN = ldap_bind@splunksupport.kom bindDNpassword = ldap_bind_user_password groupBaseDN = CN=Groups,DC=splunksupport,DC=kom groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ADbogus.splunksupport.kom port = 389 realNameAttribute = cn userBaseDN = CN=Users,DC=splunksupport,DC=kom userBaseFilter = (objectclass=*) userNameAttribute = sAMAccountName [roleMap] admin = SplunkAdmins power = SplunkPowerUsers user = SplunkUsers #### Sample Configuration for OpenLDAP [authentication] authSettings = OpenLDAP authType = LDAP [OpenLDAP] bindDN = uid=directory_bind,cn=users,dc=osx,dc=company,dc=com bindDNpassword = directory_bind_account_password groupBaseFilter = (objectclass=*) groupNameAttribute = cn SSLEnabled = 0 port = 389 userBaseDN = cn=users,dc=osx,dc=company,dc=com host = hostname_OR_IP userBaseFilter = (objectclass=*) userNameAttribute = uid groupMappingAttribute = uid groupBaseDN = dc=osx,dc=company,dc=com groupMemberAttribute = memberUid realNameAttribute = cn failsafeLogin = splunk_failsafe failsafePassword = you_specify_the_password [roleMap] admin = SplunkAdmins power = SplunkPowerUsers user = SplunkUsers ##### Scripted Auth examples # The following example is for RADIUS authentication: [authentication] authType = Scripted authSettings = script [script] scriptPath = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/share/splunk/authScriptSamples/radiusScripted.py" # Cache results for 1 second per call [cacheTiming] userLoginTTL = 1 getUserInfoTTL = 1 getUsersTTL = 1 # The following example works with PAM authentication: [authentication] authType = Scripted authSettings = script [script] scriptPath = "$SPLUNK_HOME/bin/python" "$SPLUNK_HOME/share/splunk/authScriptSamples/pamScripted.py" # Cache results for different times per function [cacheTiming] userLoginTTL = 30s getUserInfoTTL = 1min getUsersTTL = 5mins
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 View the Article History for its revisions.