All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

6.2.2 search head cluster: how to manage roles (authorize.conf), ldap groups (authentication.conf) using deployment server (deployer)

sim_tcr
Communicator
‎03-13-2015 01:31 AM

Hello,

We are on splunk 6.2.2 with search clustering. We have 4 search heads. Our search heads are LDAP enabled.
Regularly we have to create new roles and map these new roles to new LDAP security groups.
If we have to do to manually, we end creating new roles in each search head and map the new role to LDAP grpup in $SPLUNK_HOME/etc/system/local/authentication.conf in each search heads.

Is there a way we can push these files to each search heads using deployment server (deployer).

I searched a lot in splunk docs and no where they are explaining how to replicate role and authentication.conf .

Please assist.

Thanks,
Simon Mandy

Reply

teunlaan
Contributor
‎03-13-2015 02:39 AM

You can use the deployer to sync the settings to your SH cluster, but keep in mind that you CAN'T edit the settings on the SH's itself (the settings won't be synced)

We made an "app" with all these confige files, and let them deploy by the deployer ( apply shcluster-bundle). You only need to set the LDAP password on the SH's once, in a location it won't be replaced by the deployer.

We create auhentication.conf in etc/system/local with only :

[SPLUNK]
bindDNpassword = xxxxxxxxxxxx <just type the password, it will encrypt it at startup>

Rest of the settings is pushed too /etc/apps/baseconfig/default/....

Reply

awurster
Contributor
‎01-11-2016 09:30 PM 
[SPLUNK]
...

i'm not 100% sure but figured i should clarify that the stanza name above "SPLUNK" needs to match whatever stanza name. so in my case i put "ldap-auth" as the stanza name in both files.

this is honestly the best answer i've seen presented so far between the docs and one other answer. the method proposed in the documentation of just simply copying the file over into master apps is not a smart one... it's better to have some automation drop the file in etc/system/local on each system instead.

hopefully splunk can fix this type of settings in the future to be more streamlined like with indexer clustering. setup and maintenance of SHC is way too complicated and not documented strongly enough IMHO.

0 Karma
Reply

sim_tcr
Communicator
‎03-13-2015 03:47 AM

Thank you for replying.

So here is what I did, I created /apps/splunk/etc/shcluster/apps/baseconfig/local
I placed authorize.conf (with new role) and authentication.conf (with new role vs LDAP group mappings) at above location and then I did
splunk apply shcluster-bundle -target :8089 -auth admin:
The new role got added and the new LDAP group also applied. which is good. However I had set new roles default app as 'search' (default_namespace = search) which did no get applied.

Any thoughts?

0 Karma
Reply

teunlaan
Contributor
‎03-13-2015 04:57 AM

didn't it get applied for new or existing users?
For new users it should work. Existing users have probably already set the default_namespace, somewhere in the users folder.

Also by pusing it from the deployer, your local files will be merged at the SHs to /default. It could be that there is stall al local setting (in an app) overrulling je config you just deployed

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...