Edit authentication.conf
To integrate your authentication system with your Splunk deployment, make sure the authentication system is running and then do the following:
1. Create and test a Python authentication script. See "Create the authentication script" for the procedure.
2. Edit authentication.conf to enable your authentication script. See "Enable your script" in this topic.
3. Edit authentication.conf to set your cache duration. See "Set cache durations" in this topic.
Enable your script
Once you create a Python script to implement authentication, you update the authentication.conf in $SPLUNK_HOME/etc/system/local/ to enable your script. You can also copy and edit a sample authentication.conf from $SPLUNK_HOME/share/splunk/authScriptSamples/.
Specify Scripted as your authentication type under the [authentication] stanza heading:
[authentication] authType = Scripted authSettings = script
Set script variables under the [script] stanza heading. For example:
[script] scriptPath = $SPLUNK_HOME/bin/python $SPLUNK_HOME/bin/<scriptname.py>
Set cache durations
To significantly speed authentication performance when using scripted authentication, enable Splunk authentication caching. You do so by adding the optional [cacheTiming] stanza. Each script function (except getSearchFilter) has a settable cacheTiming attribute, which turns on caching for that function and specifies its cache duration. For example, to specify the cache timing for the getUserInfo function, use the getUserInfoTTL attribute. Caching for a function occurs only if its associated attribute is specified.
The cacheTiming settings specify the frequency at which Splunk software calls your script to communicate with the external authentication system. You can specify time in seconds (s), minutes (m), hours (h), days (d), etc. Typically, you'll limit the cache frequency to seconds or minutes. If a unit is not specified, the value defaults to seconds. So, a value of "5" is equivalent to "5s".
This example shows typical values for the caches:
[cacheTiming] userLoginTTL = 10s getUserInfoTTL = 1m getUsersTTL = 2m
You'll want to set userLoginTTL to a low value, since this determines how long user login/password validity is cached.
To refresh all caches immediately, use the CLI command reload auth:
./splunk reload auth
Note: This command does not boot current users off the system.
You can also refresh caches in Splunk Web:
1. In the System menu, under Users and authentication select Access controls.
2. Click Authentication method.
3. Click Reload authentication configuration to refresh the caches.
Each specified function, except getUsers, has a separate cache for each user. So, if you have 10 users logged on and you've specified the getUserInfoTTL attribute, the getUserInfo function will have 10 user-based caches. The getUsers function encompasses all users, so it has a single, global cache.
| Create the authentication script | Use PAM authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14
Download manual
Feedback submitted, thanks!