How the Splunk platform works with multiple LDAP servers for authentication
The Splunk platform can search against multiple LDAP servers when it authenticates users. To configure multiple LDAP servers, you set up multiple LDAP "strategies," one for each LDAP server.
After you create LDAP strategies, you can specify the order in which you want the Splunk platform to query the strategies when searching for LDAP users. If you do not specify a search order, the Splunk platform assigns a default "connection order" based on the order in which you created the strategies.
How connection order works during a search
During authentication, the Splunk platform searches based on the strategies you created for your LDAP servers in the specified connection order. After the Splunk platform locates the user on a server, it stops searching and takes those credentials. If the user also has credentials on a server later in the search order, the Splunk platform ignores those credentials.
For example, assume that you configure and enable three strategies in this order: A, B, C. The Splunk platform searches the servers in that same order: A, B, C. If it finds the user on Strategy A, it stops looking. Even if the user also exists on strategies B and C, the Splunk platform only uses Strategy A's credentials for that user. If the Splunk platform does not find the user on Strategy A, it searches the remaining servers: first Strategy B, then Strategy C.
If you later disable Strategy A, the Splunk platform searches the remaining strategies in the order: B, C.
You can change the connection order at any time by editing the strategies' properties in Splunk Web. On Splunk Enterprise only, you can also change the order using the
authSettings setting, as described in the authentication.conf specification file. For more information about editing this file for LDAP, see Edit authentication.conf.
Secure LDAP authentication with transport layer security (TLS) certificates
Configure LDAP with Splunk Web
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2112, 8.2.2201, 8.2.2203, 9.0.2205, 8.2.2202, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305 (latest FedRAMP release), 9.1.2308, 9.1.2312