https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154702#M43497 <P>This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called <BR /> auth_dev</P> <P>and we include in the default folder two files:<BR /> authorize.conf<BR /> authentication.conf</P> <P>in <STRONG>authorize.conf</STRONG> we define the role:</P> <PRE><CODE>[role_somethingnew] srchIndexesAllowed = mynewindex srchIndexesDefault = mynewindex srchMaxTime = 0 </CODE></PRE> <P>in <STRONG>authentication.conf</STRONG> we define the map for ldap group:</P> <PRE><CODE>[roleMap_MYCOMPANY-LDAP-DEV] somethingnew = SOME_AD_GROUP </CODE></PRE> <P>Then we push this app from the deployer.</P> <P>The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:</P> <P>so in your etc/system/local/authentication.conf for all your search heads you will have something like:</P> <PRE><CODE>[authentication] authSettings = MYCOMPANY-LDAP-DEV authType = LDAP [MYCOMPANY-LDAP-DEV] SSLEnabled = 1 anonymous_referrals = 1 bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com bindDNpassword = ****$1$H#shedPasword=**** charset = utf8 groupBaseDN = ou=groups,dc=mycompanydomain,dc=com groupBaseFilter = (cn=SOME_AD*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.mycompany.com nestedGroups = 1 network_timeout = 20 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = ou=people,dc=mycompany,dc=com userNameAttribute = cn emailAttribute = mail </CODE></PRE> <P>bindDN password will be different on each SH.<BR /> next time you need to add another role just modify the auth_dev app and that is it</P> Wed, 22 Apr 2015 21:43:43 GMT aalanisr26 2015-04-22T21:43:43Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154700#M43495 <P>How do we add users or groups to roles in a Splunk search head cluster or create new roles?</P> Wed, 22 Apr 2015 21:16:31 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154700#M43495 sat94541 2015-04-22T21:16:31Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154701#M43496 <P>Roles are managed by authorization.conf.<BR /> authorization.conf is not replicated automatically between Search Head Cluster Member. So the new roles will need to be deployed from deployer.</P> Wed, 22 Apr 2015 21:20:03 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154701#M43496 rbal_splunk 2015-04-22T21:20:03Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154702#M43497 <P>This is a tricky one, the authorize.conf is where the roles are defined, so what we do is create an application called <BR /> auth_dev</P> <P>and we include in the default folder two files:<BR /> authorize.conf<BR /> authentication.conf</P> <P>in <STRONG>authorize.conf</STRONG> we define the role:</P> <PRE><CODE>[role_somethingnew] srchIndexesAllowed = mynewindex srchIndexesDefault = mynewindex srchMaxTime = 0 </CODE></PRE> <P>in <STRONG>authentication.conf</STRONG> we define the map for ldap group:</P> <PRE><CODE>[roleMap_MYCOMPANY-LDAP-DEV] somethingnew = SOME_AD_GROUP </CODE></PRE> <P>Then we push this app from the deployer.</P> <P>The thing you need to consider is local authentication.conf on each SH should contain the LDAP strategy definition, and because the password is hashed we cant update this file form the deployer, but once we set it up the first time, we dont need to modify it anymore:</P> <P>so in your etc/system/local/authentication.conf for all your search heads you will have something like:</P> <PRE><CODE>[authentication] authSettings = MYCOMPANY-LDAP-DEV authType = LDAP [MYCOMPANY-LDAP-DEV] SSLEnabled = 1 anonymous_referrals = 1 bindDN = cn=somuser,ou=people,dc=mycompanydomain,dc=com bindDNpassword = ****$1$H#shedPasword=**** charset = utf8 groupBaseDN = ou=groups,dc=mycompanydomain,dc=com groupBaseFilter = (cn=SOME_AD*) groupMappingAttribute = dn groupMemberAttribute = member groupNameAttribute = cn host = ldap.mycompany.com nestedGroups = 1 network_timeout = 20 port = 636 realNameAttribute = displayname sizelimit = 1000 timelimit = 15 userBaseDN = ou=people,dc=mycompany,dc=com userNameAttribute = cn emailAttribute = mail </CODE></PRE> <P>bindDN password will be different on each SH.<BR /> next time you need to add another role just modify the auth_dev app and that is it</P> Wed, 22 Apr 2015 21:43:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154702#M43497 aalanisr26 2015-04-22T21:43:43Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154703#M43498 <P>As recommended in Splunk Documentation <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/AdduserstotheSHC" target="_blank">http://docs.splunk.com/Documentation/Splunk/6.2.3/DistSearch/AdduserstotheSHC</A>, to add users to the search head cluster, use either LDAP or Splunk Enterprise built-in authentication.<BR /> If you use LDAP, recommendation will be to use Separate test instance, ensure that the authentication functions properly and going forwarder user this instance to test and deploy the Role related configuration.<BR /> Here I have used deployer to test my LDAP related testing and also use it to deploy changes to Search Head cluster Member.</P> <P>Before you follow the below steps, you need to ensure that local authentication.conf on each SH should contain the LDAP strategy definition and are able to bind to LDAP, and because the password is hashed we can’t update this file form the deployer, but once we set it up the first time, you don't need to modify it anymore. </P> <P>Following steps can be utilized to deploy new "roles", "role and index mapping" and "Splunk Role=LDAP Group mapping”.</P> <P><STRONG>Step 1</STRONG>: On search head deployer (SHCdeployer03) login to GUI and create new role and assign it to the LDAP group.</P> <P><STRONG>Step 2:</STRONG> On search head deployer (SHCdeployer03), move the authorize.conf and authentication.conf file from /opt/splunk/etc/system/local to /opt/splunk/etc/shcluster/apps/key_all_authentication/local</P> <P><STRONG>Step 3</STRONG>: On search head deployer (SHCdeployer03) cd /opt/splunk/etc/shcluster/apps/key_all_authentication/local</P> <P>And vi authentication.conf file and remove the following line</P> <P>bindDNpassword = </P> <P>Make sure you only remove bindDNpassword line from this file and nothing else.</P> <P><STRONG>Step 4</STRONG>: On search head deployer (SHCdeployer03), run the following command:</P> <P>splunk apply shcluster-bundle -target Captain URI</P> <P><STRONG>Step 5:</STRONG> On any search head member run the following command to check the status of the search member.</P> <P>splunk show shcluster-status</P> <P><STRONG>Steps 6</STRONG>: Login to Any search Head to check the New role.</P> Mon, 28 Sep 2020 19:50:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154703#M43498 rbal_splunk 2020-09-28T19:50:13Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154704#M43499 <P>Documentation Bug "SPL-100129:How are roles manged in Search head Cluster?" has been added to include this in documentation.</P> Thu, 07 May 2015 16:36:45 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154704#M43499 rbal_splunk 2015-05-07T16:36:45Z https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154705#M43500 <P>this is true for 6.0 6.1 6.2 6.3 but may be sync in future versions, check the release notes.</P> Tue, 09 Feb 2016 22:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Search-Head-Cluster-How-to-manage-new-roles-between-Search-Head/m-p/154705#M43500 yannK 2016-02-09T22:20:13Z