We are on splunk 6.2.2 with search clustering. We have 4 search heads. Our search heads are LDAP enabled.
Regularly we have to create new roles and map these new roles to new LDAP security groups.
If we have to do to manually, we end creating new roles in each search head and map the new role to LDAP grpup in $SPLUNK_HOME/etc/system/local/authentication.conf in each search heads.
Is there a way we can push these files to each search heads using deployment server (deployer).
I searched a lot in splunk docs and no where they are explaining how to replicate role and authentication.conf .
You can use the deployer to sync the settings to your SH cluster, but keep in mind that you CAN'T edit the settings on the SH's itself (the settings won't be synced)
We made an "app" with all these confige files, and let them deploy by the deployer ( apply shcluster-bundle). You only need to set the LDAP password on the SH's once, in a location it won't be replaced by the deployer.
We create auhentication.conf in etc/system/local with only :
bindDNpassword = xxxxxxxxxxxx <just type the password, it will encrypt it at startup>
Rest of the settings is pushed too /etc/apps/baseconfig/default/....
i'm not 100% sure but figured i should clarify that the stanza name above "SPLUNK" needs to match whatever stanza name. so in my case i put "ldap-auth" as the stanza name in both files.
this is honestly the best answer i've seen presented so far between the docs and one other answer. the method proposed in the documentation of just simply copying the file over into master apps is not a smart one... it's better to have some automation drop the file in etc/system/local on each system instead.
hopefully splunk can fix this type of settings in the future to be more streamlined like with indexer clustering. setup and maintenance of SHC is way too complicated and not documented strongly enough IMHO.
So here is what I did, I created /apps/splunk/etc/shcluster/apps/baseconfig/local
I placed authorize.conf (with new role) and authentication.conf (with new role vs LDAP group mappings) at above location and then I did splunk apply shcluster-bundle -target :8089 -auth admin:
The new role got added and the new LDAP group also applied. which is good. However I had set new roles default app as 'search' (default_namespace = search) which did no get applied.