Splunk Cloud Platform

Securing Splunk Cloud Platform

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Remove an LDAP user safely on Splunk Enterprise

If you remove a user from your LDAP directory, Splunk Enterprise does not automatically remove the corresponding Splunk user. Usually this is not a problem, but if the user has global permissions of any sort, LDAP might generate errors.

Take the following steps to safely remove a Splunk user:

  1. Back up the $HOME/splunk/etc/users/$userid folder.
  2. Search the files under $HOME/splunk/etc/apps/ for the user ID string to see if the user owns any searches or objects with global permissions.
  3. For any searches or objects that the user owns, change the owner. You can change it any other valid user.
  4. On search heads, review splunkd.log to confirm there are no LDAP authentication errors associated with the user.
  5. Once you have redirected object ownership, you can safely remove the $HOME/splunk/etc/users/$userid folder.
Last modified on 18 October, 2021
Change authentication schemes from native to LDAP on Splunk Enterprise
Configure single sign-on with SAML

This documentation applies to the following versions of Splunk Cloud Platform: 8.1.2103, 8.2.2105 (latest FedRAMP release), 8.2.2104, 8.2.2106, 8.2.2107, 8.2.2109

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters