topic Re: Failsafe user working? in Security

Failsafe user working?

hcpr — Tue, 29 Jun 2010 21:13:14 GMT

Hi folks.

I have a Splunk setup to authenticate by LDAP, and this works reasonably well. Sometimes auth stops working for no apparent reason, and that's when this question becomes interesting.

I can't get the "failsafe" user in LDAP conf to work. Dos this function as intended for anyone? If so, how do i make it work? Currently any attempt to log on as the user listed as failsafe user in the LDAP config just returns the normal authentication failed message.

Any suggestions?

Re: Failsafe user working?

treinke — Wed, 30 Jun 2010 00:09:36 GMT

Which version of Splunk are you using? I am currently on 4.1.2 and you can have both local and ldap users in the Splunk system.

Re: Failsafe user working?

Simeon — Wed, 30 Jun 2010 00:31:08 GMT

You should check the splunkd.log for why the LDAP authentication fails. If all of the LDAP auth fails, then there is likely a problem with your connectivity to the system. You should ensure that you are not using an alias for the LDAP host and that your LDAP server is not returning referrals.

Additionally, if you manually copied the authentication configuration from another machine then you will need to re-enter the passwords so they are encrypted with the correct key.

Another possible condition is that your failsafe username exists in your LDAP system, thus causing a conflict. You should make sure the failsafe username is unique.

Re: Failsafe user working?

Simeon — Wed, 30 Jun 2010 00:31:28 GMT

Please detail the version of Splunk you are using, as 4.0 differs from 4.1.

Re: Failsafe user working?

the_wolverine — Wed, 30 Jun 2010 00:41:25 GMT

If you recently migrated to version 4.1.x, your failsafe user (as configured in authentication.conf) is disabled. The new failsafe user is "admin" and is accessible from the UI:

Manager >> Access Controls >> Users

The default password is "changeme" and can be changed from the UI as well.