Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF


Splunk Enterprise version 7.3 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Set up user authentication with LDAP

The Splunk platform supports several types of authentication schemes, including Lightweight Directory Access Protocol (LDAP).

About configuring LDAP authentication for Splunk Cloud

The Splunk platform lets you configure user and role configuration for LDAP users and groups. You can configure one or many LDAP servers and map users and user groups from your servers to Splunk roles. You can also configure authentication tokens for LDAP users.

Before you configure LDAP, read LDAP prerequisites and considerations.

After you configure LDAP as an authentication scheme, see Set up authentication with tokens for more information on creating authentication tokens for LDAP users.

How to configure LDAP as an authentication scheme

Following are the main steps to configure the Splunk platform to work with LDAP for authentication:

  1. Configure one or more LDAP strategies, typically one strategy per LDAP server.
  2. Map LDAP groups to one or more Splunk roles.
  3. If you have multiple LDAP servers, specify the connection order of the servers.

In Splunk Cloud, you can perform these steps in Splunk Web. See Configure LDAP with Splunk Web.

In Splunk Enterprise, you can use either Splunk Web or configuration files to configure LDAP. To use configuration files to configure LDAP, see Configure LDAP with configuration files.

If you need to configure multiple LDAP servers to work with your Splunk platform instance, see How Splunk works with multiple LDAP servers.

Precedence of Splunk authentication schemes

The native Splunk authentication scheme takes precedence over any external schemes. Precedence is the order in which the Splunk platform authenticates a user:

  1. The Splunk platform attempts native authentication first. If authentication fails outside of a local account that doesn't exist, there is no follow up attempt to use LDAP to login.
  2. If a local account does not exist, the Splunk platform attempts an LDAP login.
  3. On Splunk Enterprise only, if you have configured scripted authentication, the instance then attempts to log in using a script. For more information about scripted authentication, see Set up user authentication with external systems.
Last modified on 23 April, 2021
PREVIOUS
Troubleshoot token authentication
  NEXT
Manage Splunk user roles with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters