Remove an LDAP user safely on Splunk Enterprise
If you remove a user from your LDAP directory, Splunk Enterprise does not automatically remove the corresponding Splunk user. Usually this is not a problem, but if the user has global permissions of any sort, LDAP might generate errors.
Take the following steps to safely remove a Splunk user:
- Back up the
- Search the files under
$HOME/splunk/etc/apps/for the user ID string to see if the user owns any searches or objects with global permissions.
- For any searches or objects that the user owns, change the owner. You can change it any other valid user.
- On search heads, review
splunkd.logto confirm there are no LDAP authentication errors associated with the user.
- Once you have redirected object ownership, you can safely remove the
Change authentication schemes from native to LDAP on Splunk Enterprise
Configure single sign-on with SAML
This documentation applies to the following versions of Splunk Cloud Platform™: 8.1.2103, 8.2.2105 (latest FedRAMP release), 8.2.2104, 8.2.2106, 8.2.2107, 8.2.2109