
LDAP prerequisites and considerations
There are some preparations you must make with both your Lightweight Directory Access Protocol (LDAP) network and the Splunk platform before you use LDAP as an authentication scheme.
Determine your User and Group Base Distinguished Name
Before you map your LDAP settings to Splunk settings, determine your user and group base DN, or distinguished name. The DN is the location in the directory where authentication information is stored.
If you keep group membership information for users in a separate entry, enter a separate DN that identifies the subtree in the directory where the you store the group information. The Splunk platform searches users and groups recursively on all of the subnodes under this DN. If your LDAP tree does not have group entries, you can set the group base DN to the same as the user base DN to treat users as their own group. This requires further configuration, described later in this topic.
If you can't get this information, contact your LDAP Administrator for assistance.
For best results when integrating the Splunk platform with Active Directory, place your Group Base DN in a separate hierarchy than the User Base DN.
Additional considerations
When you configure the Splunk platform to work with LDAP, note the following:
- Entries in Splunk Web are case sensitive. Case sensitivity also applies to entries in the
authentication.conf
file on Splunk Enterprise. - Any user that you create in the Splunk native authentication scheme takes precedence over an LDAP user with the same name. For example, if the LDAP server has a user with a username attribute (for instance, cn or uid) of 'admin' and the default Splunk user of the same name is present, the native Splunk user takes precedence. The Splunk platform only accepts the local password, and upon login, the roles mapped to the local user will be in effect.
- The number of LDAP groups Splunk Web can display for mapping to roles is limited to the number your LDAP server can return in a query. You can use the Search request size limit and Search request time limit settings to configure this.
- To prevent the Splunk platform from listing unnecessary groups, use the
groupBaseFilter
. For example:groupBaseFilter = (|(cn=SplunkAdmins)(cn=SplunkPowerUsers)(cn=Help Desk))
- On Splunk Enterprise only, if you must role map more than the maximum number of groups, you can edit the
authentication.conf
file directly. In the following example, "roleMap_AD" specifies the name of the Splunk strategy. Each setting/value pair maps a Splunk role to one or more LDAP groups:
- To prevent the Splunk platform from listing unnecessary groups, use the
[roleMap_AD] admin = SplunkAdmins1;SplunkAdmins2 power = SplunkPowerUsers user = SplunkUsers
- The Splunk platform always uses LDAP protocol version 3.
PREVIOUS Manage Splunk user roles with LDAP |
NEXT Secure LDAP authentication with transport layer security (TLS) certificates |
This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.1.0, 9.1.1, 9.1.2
Feedback submitted, thanks!