Splunk® Enterprise

Securing Splunk Enterprise

Map LDAP groups and users to Splunk roles using configuration files

After you set up LDAP authentication and users, you can map LDAP groups and users to roles in Splunk Web.

As an alternative to using Splunk Web to map roles, on Splunk Enterprise, you can edit the authentication.conf configuration file contained in $SPLUNK_HOME/etc/system/local/. There are further examples at the end of the authentication.conf spec file.

To set up LDAP for Splunk Enterprise using configuration files, see Configure LDAP using configuration files. For information on configuration files in general, see About configuration files In the Admin Manual.

Map groups to roles

To map Splunk roles to groups in an LDAP strategy, you must set up a roleMap stanza for that strategy in the authentication.conf file. Each strategy requires its own roleMap stanza. The following example maps roles for groups in the "ldaphost1" strategy:

[roleMap_ldaphost1]
admin = SplunkAdmins
itusers = ITAdmins

Map users to roles directly

If you need to map users directly to Splunk roles, you can do so by setting the groupBaseDN setting in the authentication.conf file to the value of userBaseDN.

Also configuring the following settings to the same value as userNameAttribute:

  • groupMappingAttribute
  • groupMemberAttribute
  • groupNameAttribute

See the following example:

[supportLDAP]
SSLEnabled = 0
bindDN = cn=Directory Manager
bindDNpassword = #########
groupBaseDN = ou=People,dc=splunksupport,dc=com
groupBaseFilter = (objectclass=*)
groupMappingAttribute = MyUserID
groupMemberAttribute = MyUserID
groupNameAttribute = MyUserID
host = supportldap.splunksupport.com
port = 389
realNameAttribute = cn
userBaseDN = ou=People,dc=splunksupport,dc=com
userBaseFilter = (objectclass=*)
userNameAttribute = MyUserID

[roleMap_supportLDAP]
admin = rlee;bsmith
Last modified on 27 October, 2021
Configure LDAP using configuration files   Change authentication schemes from native to LDAP on Splunk Enterprise

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters