Change authentication schemes from native to LDAP on Splunk Enterprise
If you choose to move from the native Splunk authentication scheme to the LDAP scheme, you must remember that this change does not automatically disable native Splunk platform accounts. Accounts on the native Splunk authentication scheme take precedence over external authentication schemes, including the LDAP scheme.
In this case, you might need to delete native Splunk users to ensure that you use users from the LDAP scheme. This is only necessary if usernames are the same in both schemes.
Secure local Splunk accounts
If you have configured Splunk Enterprise to use LDAP authentication, all local accounts using Splunk authentication are still present and active, including the "admin" account. You must consider the security implications of this.
To remove all the current local accounts after you enable LDAP authentication:
- On the Splunk Enterprise instance where you want to disable the native user accounts, use a command prompt or file system tools to move the
$SPLUNK_HOME/etc/passwd
file to a different file, such aspasswd.bak
. - Create a blank
$SPLUNK_HOME/etc/passwd
file. - Restart Splunk Enterprise.
You can still create accounts in the native authentication scheme when Splunk Enterprise uses LDAP for authentication. Also, any native Splunk accounts that must remain for backup or disaster-recovery purposes must use a strong password.
When you use LDAP for authentication, confirm that your LDAP implementation enforces:
- Strong password requirements for length and complexity.
- A low incorrect attempt threshold for password lockout.
How saved searches work under the LDAP authentication scheme
If the usernames you use with the LDAP authentication scheme are the same that you previously used, but deleted, in the native scheme, you can run saved searches without any kind of configuration change.
If you want to transfer ownership of saved searches from a user under the native authentication scheme to a user under the LDAP scheme, you can edit the saved search metadata to make the LDAP user the owner of the saved search.
- On the Splunk Enterprise instance that contains the saved searches whose owner you want to change, use a text editor to modify the
$SPLUNK_HOME/etc/apps/<app_name>/metadata/local.meta
file. - Under each
savedsearch
permission stanza in this file, swap theowner = <username>
field to the corresponding LDAP username. - Save changes to the file..
- Restart Splunk Enterprise for your changes to take effect.
Test your LDAP configuration on Splunk Enterprise | Remove an LDAP user safely on Splunk Enterprise |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2
Feedback submitted, thanks!