LDAP prerequisites and considerations
Before configuring LDAP for authentication with Splunk, make the preparations described in this topic.
Determine your User and Group Base DN
Before you map your LDAP settings to Splunk settings, figure out your user and group base DN, or distinguished name. The DN is the location in the directory where authentication information is stored.
If group membership information for users is kept in a separate entry, enter a separate DN identifying the subtree in the directory where the group information is stored. Users and groups will be searched recursively on all the subnodes under this DN. If your LDAP tree does not have group entries, you can set the group base DN to the same as the user base DN to treat users as their own group. This requires further configuration, described later.
If you are unable to get this information, contact your LDAP Administrator for assistance.
Note: For best results when integrating Splunk Enterprise with Active Directory, place your Group Base DN in a separate hierarchy than the User Base DN.
Additional considerations
When configuring Splunk Enterprise to work with LDAP, note the following:
- Entries in Splunk Web and
authentication.conf
are case sensitive. - Any user created locally through Splunk native authentication will have precedence over an LDAP user of the same name. For example, if the LDAP server has a user with a username attribute (for instance, cn or uid) of 'admin' and the default Splunk user of the same name is present, the Splunk user will win. Only the local password will be accepted, and upon login the roles mapped to the local user will be in effect.
- The number of LDAP groups Splunk Web can display for mapping to roles is limited to the number your LDAP server can return in a query. You can use the Search request size limit and Search request time limit settings to configure this.
- To prevent Splunk from listing unnecessary groups, use the
groupBaseFilter
. For example:groupBaseFilter = (|(cn=SplunkAdmins)(cn=SplunkPowerUsers)(cn=Help Desk))
- If you must role map more than the maximum number of groups, you can edit
authentication.conf
directly. In this example, "roleMap_AD" specifies the name of the Splunk strategy. Each attribute/value pair maps a Splunk role to one or more LDAP groups:
- To prevent Splunk from listing unnecessary groups, use the
[roleMap_AD] admin = SplunkAdmins1;SplunkAdmins2 power = SplunkPowerUsers user = SplunkUsers
- Splunk always uses LDAP protocol version 3, aka v3.
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10
Feedback submitted, thanks!