Splunk® Enterprise

Securing Splunk Enterprise

Download manual as PDF

Download topic as PDF

How Splunk Enterprise works with multiple LDAP servers

Splunk Enterprise can search against multiple LDAP servers when authenticating users. To configure multiple LDAP servers, you set up multiple LDAP "strategies," one for each LDAP server.

After you create your strategies, you can specify the order in which you want Splunk Enterprise to query the strategies when searching for LDAP users. If you do not specify a search order, Splunk Enterprise assigns a default "connection order" based on the order in which the strategies are created.

For more about the steps to configure LDAP strategies, see Configure LDAP with Splunk Web or Configure LDAP with the configuration file for more information.

How connection order works during a search

During authentication, Splunk Enterprise searches based on the strategies you created for your servers in the specified connection order. After Splunk Enterprise locates the user on a server, it stops searching and takes those credentials. If the user also has credentials on a server later in the search order, those credentials are ignored.

For example, assume that you configure and enable three strategies in this order: A, B, C. Splunk Enterprise will search the servers in that same order: A, B, C. If it finds the user on A, it stops looking. Even if the user also exists on B and C, Splunk Enterprise will only use A's credentials for that user. If Splunk Enterprise does not find the user on A, it searches the remaining servers: first B, then C.

If you later disable strategy A, Splunk Enterprise will search the remaining strategies in the order: B, C.

You can change the connection order at any time by editing the strategies' properties in Splunk Web or by changing the order of the strategies in the authSettings attribute, as described in the authentication.conf spec file. For more information about editing this file for LDAP, see Edit authentication.conf.

Important: Any user created locally through Splunk authentication has precedence over an LDAP user of the same name. See About user authentication, for details.

PREVIOUS
Secure LDAP with TLS certificates
  NEXT
Configure LDAP with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.1.0, 7.1.1, 7.1.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters