https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357510#M8969 <P>Where do these users need to login? If you are giving them access to just perform searches then typically you would just configure ldap authentication on the search head cluster.</P> Mon, 19 Jun 2017 14:51:22 GMT suarezry 2017-06-19T14:51:22Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357509#M8968 <P>I was wondering what the best practice is when choosing where to configure LDAP authentication. I'm just not sure which instance.</P> <P>I currently have a 10 VM environment separated as:</P> <UL> <LI>1 Deployment Server</LI> <LI>1 Master Node + 3 Indexers</LI> <LI>1 Cluster Master + 2 Search heads</LI> <LI>2 Universal Forwarders</LI> </UL> Mon, 19 Jun 2017 13:11:13 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357509#M8968 Buonomon2 2017-06-19T13:11:13Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357510#M8969 <P>Where do these users need to login? If you are giving them access to just perform searches then typically you would just configure ldap authentication on the search head cluster.</P> Mon, 19 Jun 2017 14:51:22 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357510#M8969 suarezry 2017-06-19T14:51:22Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357511#M8970 <P>Users only get to log into the Search Head. I would manually create local admin users on the other nodes.</P> Mon, 19 Jun 2017 15:09:38 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357511#M8970 woodcock 2017-06-19T15:09:38Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357512#M8971 <P>I am a fan of creating an authentication app that gets deployed everywhere. I do that because I also disable the passwd file in <CODE>$SPLUNK_HOME/etc/passwd</CODE>. The result is that only authenticated users can access splunkd on any splunk instance (even forwarders). This ensures that I have an audit of access and changes to the instances as best as splunk can do it.</P> Thu, 22 Jun 2017 21:17:16 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357512#M8971 sloshburch 2017-06-22T21:17:16Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357513#M8972 <P>I'm going to combine the approaches of @woodcock and of @SloshBurch. </P> <P>[1] Every Splunk server gets the same authentication app (except forwarders because read below)<BR /> [2] All indexers have the Splunk Web UI disabled, so only search heads, deployment servers, and other infrastructure nodes are log-in-able (except via REST API)<BR /> [3] UFs have the REST API port disabled entirely - manage them via configuration management and you'll never need to log in.</P> <P>If I'm in a highly secure environment, I might deploy different <STRONG>authorization</STRONG> (not authentication but authorization) for my DS and CM and so forth so that my "most basic generic user role" (might be user, might not be?) has practically no access at all via that node. Sure they can authenticate, but they can't do anything;. </P> Tue, 27 Jun 2017 03:44:40 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357513#M8972 dwaddle 2017-06-27T03:44:40Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357514#M8973 <P>oooo. I like. Lazy question: what setting do you use for disabling REST API on forwarders? Feel free to call me out and say I should just read the docs...I would deserve it <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 27 Jun 2017 13:10:17 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357514#M8973 sloshburch 2017-06-27T13:10:17Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357515#M8974 <P>"There's an app for that" <A href="https://github.com/georgestarcher/UF-TA-killrest">https://github.com/georgestarcher/UF-TA-killrest</A></P> Tue, 27 Jun 2017 13:32:45 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357515#M8974 dwaddle 2017-06-27T13:32:45Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357516#M8975 <P>Ha ha. Thanks for that. I appreciate that the author kept it minimal. For anyone looking for just that setting:</P> <P>server.conf</P> <PRE><CODE>disableDefaultPort = true|false * If true, turns off listening on the splunkd management port (8089 by default) * This setting is not recommended: * This is the general communication path to splunkd. If it is disabled, there is no way to communicate with a running splunk. * This means many command line splunk invocations cannot function, splunkweb cannot function, the REST interface cannot function, etc. * If you choose to disable the port anyway, understand that you are selecting reduced Splunk functionality. * Default value is 'false'. </CODE></PRE> Wed, 28 Jun 2017 12:16:46 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357516#M8975 sloshburch 2017-06-28T12:16:46Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357517#M8976 <P>is that mean , if indexer have the UI enable, i not able to setup ldap?</P> <P>caz i notice problem ldap setup in indexer ui<BR /><BR /> Access controls » Authentication method » LDAP strategies - ldap strategy but <BR /> i cant Map groups under Actions <BR /> in Searchhead/Deployment server all working but not in indexer ui.</P> Thu, 19 Apr 2018 21:45:42 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357517#M8976 chandanghoshCTL 2018-04-19T21:45:42Z https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357518#M8977 <P>Make sure the password is correct in the LDAP strategy and then restart to get it to hash again. Also, check your _internal events for correlating error messages.</P> <P>If that still doesn't resolve, open a support case cause you might need someone to work with you in real time to find exactly what config is wrong.</P> Fri, 04 May 2018 16:26:30 GMT https://community.splunk.com/t5/Security/Which-Splunk-instance-should-be-chosen-for-LDAP-authentication/m-p/357518#M8977 sloshburch 2018-05-04T16:26:30Z