topic Re: How do I convert from basic auth to LDAP without losing any user data? in Security

How do I convert from basic auth to LDAP without losing any user data?

Alan_Bradley — Sat, 20 Mar 2010 06:38:06 GMT

I'd like to convert a busy server with a bunch of users from default auth to LDAP. How can I do so without losing any of their saved searches and other data?

Re: How do I convert from basic auth to LDAP without losing any user data?

matt — Sat, 20 Mar 2010 06:38:49 GMT

You will have to first identify the local auth user ids (./splunk list user). You will then need to modify your saved searches.conf and swap the userid= field in each stanza to be the ldap userid. I would recommend migrating auth to LDAP, creating one saved search as an LDAP user so you can verify that you have the format of the LDAP userid, and then making the changes to the existing saved searches. Once you finish modifying the savedsearches.conf you will need to restart Splunk.

Re: How do I convert from basic auth to LDAP without losing any user data?

the_wolverine — Fri, 09 Apr 2010 12:23:24 GMT

The easiest way to identify the local Splunkauth users is to check your $SPLUNK_HOME/etc/passwd file which is in the same format as unix passwd.

Figure out which of these users correspond to which LDAP users.

Then locate your user's savedsearches and swap out the userid field with the corresponding ldap userid.

Re: How do I convert from basic auth to LDAP without losing any user data?

gkanapathy — Sun, 11 Apr 2010 21:12:28 GMT

In versions 4.x, changing the userid field will only change the ownership of shared items. To make sure that private items are also connected to the old user, the contents of the directory $SPLUNK_HOME/etc/users/olduserid must be copied or moved to $SPLUNK_HOME/etc/users/newuserid.