Splunk® Enterprise

Securing Splunk Enterprise

Splunk Enterprise version 7.3 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Set up user authentication with LDAP

The Splunk platform supports several types of authentication schemes, including the Lightweight Directory Access Protocol (LDAP).

About configuring LDAP authentication for

The Splunk platform lets you configure user and role configuration for LDAP users and groups. You can configure the Splunk platform to use one or many LDAP servers, then map users and user groups from your servers to Splunk roles. You can also configure Splunk authentication tokens for LDAP users.

Before you configure the Splunk platform for LDAP, read LDAP prerequisites and considerations.

After you configure LDAP as an authentication scheme, see Set up authentication with tokens if you want information on creating authentication tokens for LDAP users.

How to configure LDAP as an authentication scheme

Following are the main steps to configure the Splunk platform to work with LDAP for authentication:

  1. Configure one or more LDAP strategies, typically one strategy per LDAP server.
  2. Map LDAP groups to one or more Splunk roles.
  3. If you have multiple LDAP servers, specify the connection order of the servers.

In Splunk Cloud Platform, you can perform these steps in Splunk Web. See Configure LDAP with Splunk Web.

In Splunk Enterprise, you can use either Splunk Web or configuration files to configure LDAP. To use configuration files to configure LDAP, see Configure LDAP with configuration files.

If you need to configure multiple LDAP servers to work with your Splunk platform instance, see How Splunk works with multiple LDAP servers.

Precedence of Splunk authentication schemes

The native Splunk authentication scheme takes precedence over any external schemes. Precedence is the order in which the Splunk platform authenticates a user:

  1. The Splunk platform attempts native authentication to log the user in first. If authentication fails, and the failure is not due to a nonexistent local account, then the platform does not attempt to use LDAP to login.
  2. If the failure is due to a nonexistent local account, then the Splunk platform attempts a login using the LDAP authentication scheme.
  3. On Splunk Enterprise only, if you have configured scripted authentication, the instance then attempts to log in using a script. For more information about scripted authentication, see Set up user authentication with external systems.
Last modified on 20 May, 2024
Troubleshoot token authentication   Manage Splunk user roles with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters