Set up user authentication with LDAP
The Splunk platform supports several types of authentication schemes, including the Lightweight Directory Access Protocol (LDAP).
About configuring LDAP authentication for
The Splunk platform lets you configure user and role configuration for LDAP users and groups. You can configure the Splunk platform to use one or many LDAP servers, then map users and user groups from your servers to Splunk roles. You can also configure Splunk authentication tokens for LDAP users.
Before you configure the Splunk platform for LDAP, read LDAP prerequisites and considerations.
After you configure LDAP as an authentication scheme, see Set up authentication with tokens if you want information on creating authentication tokens for LDAP users.
How to configure LDAP as an authentication scheme
Following are the main steps to configure the Splunk platform to work with LDAP for authentication:
- Configure one or more LDAP strategies, typically one strategy per LDAP server.
- Map LDAP groups to one or more Splunk roles.
- If you have multiple LDAP servers, specify the connection order of the servers.
In Splunk Cloud Platform, you can perform these steps in Splunk Web. See Configure LDAP with Splunk Web.
In Splunk Enterprise, you can use either Splunk Web or configuration files to configure LDAP. To use configuration files to configure LDAP, see Configure LDAP with configuration files.
If you need to configure multiple LDAP servers to work with your Splunk platform instance, see How Splunk works with multiple LDAP servers.
Precedence of Splunk authentication schemes
The native Splunk authentication scheme takes precedence over any external schemes. Precedence is the order in which the Splunk platform authenticates a user:
- The Splunk platform attempts native authentication to log the user in first. If authentication fails, and the failure is not due to a nonexistent local account, then the platform does not attempt to use LDAP to login.
- If the failure is due to a nonexistent local account, then the Splunk platform attempts a login using the LDAP authentication scheme.
- On Splunk Enterprise only, if you have configured scripted authentication, the instance then attempts to log in using a script. For more information about scripted authentication, see Set up user authentication with external systems.
Set up native Splunk authentication | Manage Splunk user roles with LDAP |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.2.2406 (latest FedRAMP release), 8.2.2203, 9.0.2205, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403
Feedback submitted, thanks!