Splunk® Enterprise

Securing the Splunk Platform

Acrobat logo Download manual as PDF

Splunk Enterprise version 7.3 will no longer be supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
Acrobat logo Download topic as PDF

Set up user authentication with LDAP

Splunk Enterprise supports three types of authentication systems:

About configuring LDAP authentication for Splunk Enterprise

Splunk Enterprise allows user and role configuration for LDAP users and groups. You can configure one or many LDAP servers and map users and user groups from your servers to Splunk roles. You can also configure authentication tokens

For more information about configuring multiple LDAP servers, see "How Splunk works with multiple LDAP servers."

Before you configure LDAP, take a look at "LDAP prerequisites and considerations."

After you configure LDAP as an authentication scheme, see Set up authentication with tokens for more information on creating authentication tokens for LDAP users.

How to configure LDAP authentication

These are the main steps to configure Splunk Enterprise to work with LDAP:

  1. Configure one or more LDAP strategies (typically, you configure one strategy per LDAP server).
  2. Map your LDAP groups to one or more Splunk roles.
  3. If you have multiple LDAP servers, specify the connection order of their servers.

You can perform these steps in Splunk Web or by editing the configuration file. See "Configure LDAP with Splunk Web" or "Configure LDAP with the configuration file" for more information.

Authentication precedence

Native Splunk authentication takes precedence over any external schemes. This is the order in which Splunk Enterprise authenticates a user:

  1. Splunk Enterprise attempts native authentication first. If the account is expired or otherwise fails, there is no follow up LDAP login attempt.
  2. If a local user does not exist, Splunk Enterprise attempts an LDAP login or a scripted authentication, if that is enabled. For more information about scripted authentication, see "Set up user authentication with external systems."


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has around LDAP authentication with Splunk.

Last modified on 10 June, 2020
Troubleshoot token authentication
Manage Splunk user roles with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2, 8.1.3

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters