Configure LDAP with the configuration file
As an alternative to using Splunk Web to configure LDAP, you can directly edit the authentication.conf file.
This example steps you through the process of setting up authentication.conf
. If you prefer to configure LDAP with Splunk Web, see Configure LDAP with Splunk Web.
Note: If you configure LDAP authentication and decide later to return to using the default Splunk authentication, the simplest way is to move the existing authentication.conf
file out of the way (for example, by renaming it to authentication.conf.disabled
) and restart Splunk Enterprise.
You can see some more examples at the end of the authentication.conf spec file.
Edit authentication.conf
in $SPLUNK_HOME/etc/system/local/
. For information on configuration files in general, see About configuration files In the Admin Manual.
Set authentication type and strategy name(s)
By default, Splunk Enterprise uses Splunk authentication. Change the type to LDAP in the [authentication]
stanza:
[authentication]
authType = LDAP
authSettings = ldaphost1,ldaphost2
Note the following:
- Turn on LDAP by setting
authType = LDAP
. - The
authSettings
attribute identifies one or more LDAP strategies. Each strategy has its own stanza.
Configure LDAP strategy stanzas
Each LDAP strategy needs its own stanza. Map the LDAP values to attribute/value pairs in the strategy's stanza.
Note: Splunk Enterprise does not support IPv6 address formats for Windows.
Here's an example stanza for the "ldaphost1" strategy, specified earlier in the authSettings
attribute:
[ldaphost1] host = ldaphost1.domain.com port = 389 SSLEnabled = 0 bindDN = cn=bind_user bindDNpassword = bind_user_password groupBaseDN = ou=Groups,dc=splunk,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = dn groupMemberAttribute = uniqueMember groupNameAttribute = cn realNameAttribute = displayName userBaseDN = ou=People,dc=splunk,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid
Note: For best results when integrating Active Directory, place your Group Base DN in a separate hierarchy than the User Base DN.
SSL
If you have enabled SSL for your LDAP strategy, make sure the following minimum settings are present in ldap.conf
TLS_REQCERT demand TLS_CACERT <path to cert, for example: /opt/splunk/etc/auth/LDAProotcert.crt> TLS_CIPHER_SUITE <your cipher suite>
Configure multiple LDAP strategies
Splunk Enterprise can search across multiple LDAP servers, as described in How Splunk works with multiple LDAP servers. To configure this, set the authSettings
attribute to a comma-separated list of all strategies, in the order in which you want Splunk Enterprise to query them. Then, specify separate stanzas for each strategy.
Map groups to roles
To map Splunk roles to a strategy's LDAP groups, you need to set up a roleMap
stanza for that strategy. Each strategy requires its own roleMap
stanza. This example maps roles for groups in the "ldaphost1" strategy. The syntax is <Splunk RoleName> = <LDAP group string>:
[roleMap_ldaphost1] admin = SplunkAdmins itusers = ITAdmins
Map users directly to roles
If you need to map users directly to Splunk roles, you can do so by setting the groupBaseDN
to the value of userBaseDN
. Also, set the attributes for groupMappingAttribute
, groupMemberAttribute
, and groupNameAttribute
to the same attribute as userNameAttribute
. For example:
[supportLDAP] SSLEnabled = 0 bindDN = cn=Directory Manager bindDNpassword = ######### groupBaseDN = ou=People,dc=splunksupport,dc=com groupBaseFilter = (objectclass=*) groupMappingAttribute = uid groupMemberAttribute = uid groupNameAttribute = uid host = supportldap.splunksupport.com port = 389 realNameAttribute = cn userBaseDN = ou=People,dc=splunksupport,dc=com userBaseFilter = (objectclass=*) userNameAttribute = uid [roleMap_supportLDAP] admin = rlee;bsmith
Map LDAP groups to Splunk roles in Splunk Web | Map LDAP groups and users to Splunk roles using configuration files |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10
Feedback submitted, thanks!