Splunk Cloud Platform

Securing Splunk Cloud Platform

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Best practice for removing an LDAP user

If you remove a user from your LDAP directory, Splunk Enterprise does not automatically remove the corresponding Splunk user. Usually this is not an issue, but if the user has global permissions of any sort, LDAP may generate errors.

To more information about working with LDAP users in Splunk Enterprise, see "Set up user authentication with LDAP" in this maual.

Take the following steps to safely remove a Splunk user:

1. First, back up the $HOME/splunk/etc/users/$userid folder.

2. Search the files under $HOME/splunk/etc/apps/ for the user id string to see if the user owns any searches or objects with global permissions.

3. For any searches or objects that the user owns, change the owner. You change it an admin user or maintenance account, or whatever you prefer.

4. Check splunkd.log on the search head to make sure there are no further LDAP authentication errors.

5. Once you have redirected any object ownership, you can safely remove the $HOME/splunk/etc/users/$userid folder.

Last modified on 21 June, 2016
Convert to LDAP from Splunk authentication
Configure single sign-on with SAML

This documentation applies to the following versions of Splunk Cloud Platform: 8.1.2103, 8.2.2104, 8.2.2105 (latest FedRAMP release), 8.2.2106, 8.2.2107

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters