Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

How the Splunk platform works with multiple LDAP servers for authentication

The Splunk platform can search against multiple LDAP servers when it authenticates users. To configure multiple LDAP servers, you set up multiple LDAP "strategies," one for each LDAP server.

After you create LDAP strategies, you can specify the order in which you want the Splunk platform to query the strategies when searching for LDAP users. If you do not specify a search order, the Splunk platform assigns a default "connection order" based on the order in which the strategies are created.

For more about the steps to configure LDAP strategies, see Configure LDAP with Splunk Web or Configure LDAP with configuration files for more information.

How connection order works during a search

During authentication, the Splunk platform searches based on the strategies you created for your LDAP servers in the specified connection order. After the Splunk platform locates the user on a server, it stops searching and takes those credentials. If the user also has credentials on a server later in the search order, the Splunk platform ignores those credentials.

For example, assume that you configure and enable three strategies in this order: A, B, C. The Splunk platform searches the servers in that same order: A, B, C. If it finds the user on Strategy A, it stops looking. Even if the user also exists on strategies B and C, the Splunk platform only uses Strategy A's credentials for that user. If the Splunk platform does not find the user on Strategy A, it searches the remaining servers: first Strategy B, then Strategy C.

If you later disable Strategy A, the Splunk platform searches the remaining strategies in the order: B, C.

Any user you create locally on the native Splunk authentication scheme has precedence over an LDAP user of the same name. See About user authentication, for details.

You can change the connection order at any time by editing the strategies' properties in Splunk Web. On Splunk Enterprise only, you can also change the order using the authSettings setting, as described in the authentication.conf specification file. For more information about editing this file for LDAP, see Edit authentication.conf.

Last modified on 25 April, 2021
PREVIOUS
Secure LDAP with TLS certificates
  NEXT
Configure LDAP with Splunk Web

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 7.0.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters