Set up user authentication with LDAP
Splunk Enterprise supports three types of authentication systems:
- Splunk authentication described in "Set up user authentication with Splunk's built-in system."
- LDAP, described in the topic you're now reading.
- A scripted authentication API for use with an external authentication system, such as PAM or RADIUS, described in "Set up user authentication with external systems."
About configuring LDAP authentication for Splunk Enterprise
Splunk Enterprise allows user and role configuration for LDAP users and groups. You can configure one or many LDAP servers and map users and user groups from your servers to Splunk roles.
For more information about configuring multiple LDAP servers, see "How Splunk works with multiple LDAP servers."
Before you configure LDAP, take a look at "LDAP prerequisites and considerations."
How to configure LDAP authentication
These are the main steps to configure Splunk Enterprise to work with LDAP:
1. Configure one or more LDAP strategies (typically, you configure one strategy per LDAP server).
2. Map your LDAP groups to one or more Splunk roles.
3. If you have multiple LDAP servers, specify the connection order of their servers.
You can perform these steps in Splunk Web or by editing the configuration file. See "Configure LDAP with Splunk Web" or "Configure LDAP with the configuration file" for more information.
Authentication precedence
Splunk authentication takes precedence over any external systems. This is the order in which Splunk Enterprise authenticates a user:
1. Splunk authentication is attempted first. If the account is expired or otherwise fails, there is no follow up LDAP login attempt.
2. If local user does not exist, LDAP login is attempted or scripted authentication is attempted if enabled. For more information about scripted authentication see "Set up user authentication with external systems."
Answers
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around LDAP authentication with Splunk.
This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10
Feedback submitted, thanks!