Download topic as PDF
Map LDAP groups and users to Splunk roles in the configuration files
Once you've set up LDAP authentication and users, you can map your LDAP groups and users to roles in Splunk Web. To set up LDAP for Splunk Enterprise, see Configure LDAP with the configuration file in this manual.
As an alternative to using Splunk Web to map roles, you can directly edit your authentication.conf contained in $SPLUNK_HOME/etc/system/local/. There are further examples at the end of the authentication.conf spec file.
For information on configuration files in general, see About configuration files In the Admin Manual.
Map groups to roles
To map Splunk roles to a strategy's LDAP groups, you need to set up a roleMap stanza for that strategy. Each strategy requires its own roleMap stanza. This example maps roles for groups in the "ldaphost1" strategy. In your authentication.conf file in $SPLUNK_HOME/etc/system/local/:
[roleMap_ldaphost1] admin = SplunkAdmins itusers = ITAdmins
Map users directly to roles
If you need to map users directly to Splunk roles, you can do so by setting the groupBaseDN setting in authentication.conf to the value of userBaseDN.
Also set the following attributes to the same value as userNameAttribute:
-
groupMappingAttribute -
groupMemberAttribute -
groupNameAttribute
For example:
[supportLDAP] SSLEnabled = 0 bindDN = cn=Directory Manager bindDNpassword = ######### groupBaseDN = ou=People,dc=splunksupport,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = MyUserID groupMemberAttribute = MyUserID groupNameAttribute = MyUserID host = supportldap.splunksupport.com port = 389 realNameAttribute = cn userBaseDN = ou=People,dc=splunksupport,dc=com userBaseFilter = (objectclass=*) userNameAttribute = MyUserID [roleMap_supportLDAP] admin = rlee;bsmith
|
PREVIOUS Configure LDAP with the configuration file |
NEXT Test your LDAP configuration |
This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4
Comments
Please, clarify me is it possible in this example to map users in [supportLDAP] to different Splunk roles, in other words may I do this way:
[supportLDAP]
SSLEnabled = 0
bindDN = cn=Directory Manager
bindDNpassword = #########
groupBaseDN = ou=People,dc=splunksupport,dc=com
groupBaseFilter = (objectclass=*)
groupMappingAttribute = uid
groupMemberAttribute = uid
groupNameAttribute = uid
host = supportldap.splunksupport.com
port = 389
realNameAttribute = cn
userBaseDN = ou=People,dc=splunksupport,dc=com
userBaseFilter = (objectclass=*)
userNameAttribute = uid
[roleMap_supportLDAP]
admin = rlee;bsmith
user = swhite;dbrown
That should work. All you are really doing is adding another role, right? All the important pieces are there. In the unlikely event you come across any hiccups, maybe post to Splunk Answers to see if any fellow Splunkers can help troublshoot.