All Apps and Add-ons

6.2.2 search head cluster: how to manage roles (authorize.conf), ldap groups (authentication.conf) using deployment server (deployer)



We are on splunk 6.2.2 with search clustering. We have 4 search heads. Our search heads are LDAP enabled.
Regularly we have to create new roles and map these new roles to new LDAP security groups.
If we have to do to manually, we end creating new roles in each search head and map the new role to LDAP grpup in $SPLUNK_HOME/etc/system/local/authentication.conf in each search heads.

Is there a way we can push these files to each search heads using deployment server (deployer).

I searched a lot in splunk docs and no where they are explaining how to replicate role and authentication.conf .

Please assist.

Simon Mandy


You can use the deployer to sync the settings to your SH cluster, but keep in mind that you CAN'T edit the settings on the SH's itself (the settings won't be synced)

We made an "app" with all these confige files, and let them deploy by the deployer ( apply shcluster-bundle). You only need to set the LDAP password on the SH's once, in a location it won't be replaced by the deployer.

We create auhentication.conf in etc/system/local with only :

bindDNpassword = xxxxxxxxxxxx <just type the password, it will encrypt it at startup>

Rest of the settings is pushed too /etc/apps/baseconfig/default/....


i'm not 100% sure but figured i should clarify that the stanza name above "SPLUNK" needs to match whatever stanza name. so in my case i put "ldap-auth" as the stanza name in both files.

this is honestly the best answer i've seen presented so far between the docs and one other answer. the method proposed in the documentation of just simply copying the file over into master apps is not a smart one... it's better to have some automation drop the file in etc/system/local on each system instead.

hopefully splunk can fix this type of settings in the future to be more streamlined like with indexer clustering. setup and maintenance of SHC is way too complicated and not documented strongly enough IMHO.

0 Karma


Thank you for replying.

So here is what I did, I created /apps/splunk/etc/shcluster/apps/baseconfig/local
I placed authorize.conf (with new role) and authentication.conf (with new role vs LDAP group mappings) at above location and then I did
splunk apply shcluster-bundle -target :8089 -auth admin:
The new role got added and the new LDAP group also applied. which is good. However I had set new roles default app as 'search' (default_namespace = search) which did no get applied.

Any thoughts?

0 Karma


didn't it get applied for new or existing users?
For new users it should work. Existing users have probably already set the default_namespace, somewhere in the users folder.

Also by pusing it from the deployer, your local files will be merged at the SHs to /default. It could be that there is stall al local setting (in an app) overrulling je config you just deployed

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!