Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.2 is no longer supported as of April 30, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Change authentication schemes from native to LDAP on Splunk Enterprise

If you choose to move from the native Splunk authentication scheme to the LDAP scheme, you must remember that this change does not automatically disable native Splunk platform accounts. Accounts on the native Splunk authentication scheme take precedence over external authentication schemes, including the LDAP scheme.

In this case, you might need to delete native Splunk users to ensure that you use users from the LDAP scheme. This is only necessary if usernames are the same in both schemes.

Secure local Splunk accounts

If you have configured Splunk Enterprise to use LDAP authentication, all local accounts using Splunk authentication are still present and active, including the "admin" account. You must consider the security implications of this.

To remove all the current local accounts after you enable LDAP authentication:

  1. On the Splunk Enterprise instance where you want to disable the native user accounts, use a command prompt or file system tools to move the $SPLUNK_HOME/etc/passwd file to a different file, such as passwd.bak.
  2. Create a blank $SPLUNK_HOME/etc/passwd file.
  3. Restart Splunk Enterprise.

You can still create accounts in the native authentication scheme when Splunk Enterprise uses LDAP for authentication. Also, any native Splunk accounts that must remain for backup or disaster-recovery purposes must use a strong password.

When you use LDAP for authentication, confirm that your LDAP implementation enforces:

  • Strong password requirements for length and complexity.
  • A low incorrect attempt threshold for password lockout.

How saved searches work under the LDAP authentication scheme

If the usernames you use with the LDAP authentication scheme are the same that you previously used, but deleted, in the native scheme, you can run saved searches without any kind of configuration change.

If you want to transfer ownership of saved searches from a user under the native authentication scheme to a user under the LDAP scheme, you can edit the saved search metadata to make the LDAP user the owner of the saved search.

  1. On the Splunk Enterprise instance that contains the saved searches whose owner you want to change, use a text editor to modify the $SPLUNK_HOME/etc/apps/<app_name>/metadata/local.meta file.
  2. Under each savedsearch permission stanza in this file, swap the owner = <username> field to the corresponding LDAP username.
  3. Save changes to the file..
  4. Restart Splunk Enterprise for your changes to take effect.
Last modified on 27 October, 2021
Test your LDAP configuration on Splunk Enterprise
Remove an LDAP user safely on Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.1.0, 9.1.1

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters