Best practice for removing an LDAP user
If you remove a user from your LDAP directory, Splunk Enterprise does not automatically remove the corresponding Splunk user. Usually this is not an issue, but if the user has global permissions of any sort, LDAP may generate errors.
To more information about working with LDAP users in Splunk Enterprise, see "Set up user authentication with LDAP" in this maual.
Take the following steps to safely remove a Splunk user:
1. First, back up the
2. Search the files under
$HOME/splunk/etc/apps/ for the user id string to see if the user owns any searches or objects with global permissions.
3. For any searches or objects that the user owns, change the owner. You change it an admin user or maintenance account, or whatever you prefer.
splunkd.log on the search head to make sure there are no further LDAP authentication errors.
5. Once you have redirected any object ownership, you can safely remove the
Convert to LDAP from Splunk authentication
Configure single sign-on with SAML
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107