Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

LDAP prerequisites and considerations

If you want your Splunk platform instance to use a Lightweight Directory Access Protocol server for authentication, you must make some preparations on both the LDAP server and the Splunk platform. Read on to understand the preparations you must make before you can use LDAP as an authentication scheme.

Determine your LDAP User and Group Base Distinguished Name

Before you can connect your Splunk platform instance with your LDAP servers, you must determine your LDAP user and group base distinguished name (DN). The DN is the location in the directory where LDAP stores authentication information.

If you keep group membership information for users in a separate entry, enter a separate DN that identifies the subtree in the directory where the you store the group information. The Splunk platform searches users and groups recursively on all of the subnodes under this DN. If your LDAP tree does not have group entries, you can set the group base DN to the same as the user base DN to treat users as their own group. This requires further configuration, as described later in this topic.

If you can't get this information, contact your LDAP Administrator for assistance.

For best results when integrating the Splunk platform with Active Directory, place your group base DN in a separate hierarchy than the user base DN.

Additional considerations for configuring the Splunk platform to use LDAP for authentication

Following are some additional things to consider when you configure the Splunk platform to use LDAP as an authentication scheme:

  • The Splunk platform always uses LDAP protocol version 3.
  • LDAP entries in Splunk Web are case sensitive. Case sensitivity also applies to entries in the authentication.conf configuration file on Splunk Enterprise.
  • Any user that you create in the Splunk native authentication scheme takes precedence over an LDAP user with the same name. For example, if the LDAP server has a user with a username attribute (for instance, a common name (CN) or user ID (UID)) of "admin", and the default Splunk user of the same name is present, the native Splunk user takes precedence. The Splunk platform only accepts the native password, and upon login, the roles that the native user holdswill be in effect.
  • The number of LDAP groups that Splunk Web can display for mapping to roles is limited to the number your LDAP server can supply in response to a query. You can use the Search request size limit and Search request time limit settings to configure this.
    • On Splunk Enterprise only, to prevent the listing of unnecessary groups, use the groupBaseFilter setting in the authentication.conf configuration file. For example: groupBaseFilter = (|(cn=SplunkAdmins)(cn=SplunkPowerUsers)(cn=Help Desk))
    • On Splunk Enterprise only, if you must role map more than the maximum number of groups, you can edit the authentication.conf file directly. In the following example, "roleMap_AD" specifies the name of the Splunk strategy. Each setting/value pair maps a Splunk role to one or more LDAP groups:
[roleMap_AD]
admin = SplunkAdmins1;SplunkAdmins2
power = SplunkPowerUsers
user = SplunkUsers
Last modified on 20 May, 2024
Manage Splunk user roles with LDAP   Secure LDAP authentication with transport layer security (TLS) certificates

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters