Splunk® Enterprise

Securing Splunk Enterprise

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Set up user authentication with LDAP

The Splunk platform supports several types of authentication schemes, including Lightweight Directory Access Protocol (LDAP).

About configuring LDAP authentication for

The Splunk platform lets you configure user and role configuration for LDAP users and groups. You can configure one or many LDAP servers and map users and user groups from your servers to Splunk roles. You can also configure authentication tokens for LDAP users.

Before you configure LDAP, read LDAP prerequisites and considerations.

After you configure LDAP as an authentication scheme, see Set up authentication with tokens for more information on creating authentication tokens for LDAP users.

How to configure LDAP as an authentication scheme

Following are the main steps to configure the Splunk platform to work with LDAP for authentication:

  1. Configure one or more LDAP strategies, typically one strategy per LDAP server.
  2. Map LDAP groups to one or more Splunk roles.
  3. If you have multiple LDAP servers, specify the connection order of the servers.

In Splunk Cloud, you can perform these steps in Splunk Web. See Configure LDAP with Splunk Web.

In Splunk Enterprise, you can use either Splunk Web or configuration files to configure LDAP. To use configuration files to configure LDAP, see Configure LDAP with configuration files.

If you need to configure multiple LDAP servers to work with your Splunk platform instance, see How Splunk works with multiple LDAP servers.

Precedence of Splunk authentication schemes

The native Splunk authentication scheme takes precedence over any external schemes. Precedence is the order in which the Splunk platform authenticates a user:

  1. The Splunk platform attempts native authentication to log the user in first. If authentication fails, and the failure is not due to a nonexistent local account, then the platform does not attempt to use LDAP to login.
  2. If the failure is due to a nonexistent local account, then the Splunk platform attempts a login using the LDAP authentication scheme.
  3. On Splunk Enterprise only, if you have configured scripted authentication, the instance then attempts to log in using a script. For more information about scripted authentication, see Set up user authentication with external systems.
Last modified on 08 May, 2023
PREVIOUS
Set up native Splunk authentication
  NEXT
Manage Splunk user roles with LDAP

This documentation applies to the following versions of Splunk® Enterprise: 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.2.0


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters