To use your authentication system with Splunk, make sure the authentication system is running and then do the following:
1. Create and test a Python authentication script. See "Create the authentication script" for the procedure.
2. Edit authentication.conf to enable your authentication script. See "Enable your script" in this topic.
3. Edit authentication.conf to set your cache duration. See "Set cache durations" in this topic.
Enable your script
Once you create a Python script to implement authentication, you update the
$SPLUNK_HOME/etc/system/local/ to enable your script. You can also copy and edit a sample
Scripted as your authentication type under the
[authentication] stanza heading:
[authentication] authType = Scripted authSettings = script
Set script variables under the
[script] stanza heading. For example:
[script] scriptPath = $SPLUNK_HOME/bin/python $SPLUNK_HOME/bin/<scriptname.py>
Set cache durations
To significantly speed authentication performance when using scripted authentication, make use of Splunk's authentication caching capability. You do so by adding the optional
[cacheTiming] stanza. Each script function (except
getSearchFilter) has a settable
cacheTiming attribute, which turns on caching for that function and specifies its cache duration. For example, to specify the cache timing for the
getUserInfo function, use the
getUserInfoTTL attribute. Caching for a function occurs only if its associated attribute is specified.
cacheTiming settings specify the frequency at which Splunk calls your script to communicate with the external authentication system. You can specify time in seconds (s), minutes (m), hours (h), days (d), etc. Typically, you'll limit the cache frequency to seconds or minutes. If a unit is not specified, the value defaults to seconds. So, a value of "5" is equivalent to "5s".
This example shows typical values for the caches:
[cacheTiming] userLoginTTL = 10s getUserInfoTTL = 1m getUsersTTL = 2m
You'll want to set
userLoginTTL to a low value, since this determines how long user login/password validity is cached.
To refresh all caches immediately, use the CLI command
./splunk reload auth
Note: This command does not boot current users off the system.
You can also refresh caches in Splunk Web:
1. Click Manager in the upper right-hand corner of Splunk Web.
2. Under System configurations, click Access controls.
3. Click Authentication method.
4. Click Reload authentication configuration to refresh the caches.
Each specified function, except
getUsers, has a separate cache for each user. So, if you have 10 users logged on and you've specified the
getUserInfoTTL attribute, the
getUserInfo function will have 10 user-based caches. The
getUsers function encompasses all users, so it has a single, global cache.
Create the authentication script
Use PAM authentication
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18