Edit authentication.conf
To integrate your authentication system with your Splunk deployment, make sure the authentication system is running and then do the following:
1. Create and test a Python authentication script. See "Create the authentication script" for the procedure.
2. Edit authentication.conf to enable your authentication script. See "Enable your script" in this topic.
3. Edit authentication.conf to set your cache duration. See "Set cache durations" in this topic.
Enable your script
Once you create a Python script to implement authentication, you update the authentication.conf
in $SPLUNK_HOME/etc/system/local/
to enable your script. You can also copy and edit a sample authentication.conf
from $SPLUNK_HOME/share/splunk/authScriptSamples/
.
Specify Scripted
as your authentication type under the [authentication]
stanza heading:
[authentication] authType = Scripted authSettings = script
Set script variables under the [script]
stanza heading. For example:
[script] scriptPath = $SPLUNK_HOME/bin/python $SPLUNK_HOME/bin/<scriptname.py>
Set cache durations
To significantly speed authentication performance when using scripted authentication, enable Splunk authentication caching. You do so by adding the optional [cacheTiming]
stanza. Each script function (except getSearchFilter
) has a settable cacheTiming
attribute, which turns on caching for that function and specifies its cache duration. For example, to specify the cache timing for the getUserInfo
function, use the getUserInfoTTL
attribute. Caching for a function occurs only if its associated attribute is specified.
The cacheTiming
settings specify the frequency at which Splunk software calls your script to communicate with the external authentication system. You can specify time in seconds (s), minutes (m), hours (h), days (d), etc. Typically, you'll limit the cache frequency to seconds or minutes. If a unit is not specified, the value defaults to seconds. So, a value of "5" is equivalent to "5s".
This example shows typical values for the caches:
[cacheTiming] userLoginTTL = 10s getUserInfoTTL = 1m getUsersTTL = 2m
You'll want to set userLoginTTL
to a low value, since this determines how long user login/password validity is cached.
To refresh all caches immediately, use the CLI command reload auth
:
./splunk reload auth
Note: This command does not boot current users off the system.
You can also refresh caches in Splunk Web:
1. In the System menu, under Users and authentication select Access controls.
2. Click Authentication method.
3. Click Reload authentication configuration to refresh the caches.
Each specified function, except getUsers
, has a separate cache for each user. So, if you have 10 users logged on and you've specified the getUserInfoTTL
attribute, the getUserInfo
function will have 10 user-based caches. The getUsers
function encompasses all users, so it has a single, global cache.
Create the authentication script | Use PAM authentication |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14
Feedback submitted, thanks!