Deployment Architecture
Highlighted

Search head pooling: can it be used to share authentication information?

Motivator

Can I use an app in etc/apps to contain authentication data for use on all my search heads - via search head pooling?

Re: Search head pooling: can it be used to share authentication information?

Motivator

Sort of. This works the same if the app is deployed to etc/apps via Deployment Server as well:

  • Search heads will read authentication/role information (authentication.conf/authorize.conf) out of apps in etc/apps
  • Search heads will write any changes made to their etc/system/local - which will have to be manually synced with the app in the pooling area or in Deployment Server - and this overwrites any equivalent settings in etc/apps
  • Also, keep in mind: every server will need its own hash of the Bind DN password (if using LDAP) in its etc/system/local.

View solution in original post

Highlighted

Re: Search head pooling: can it be used to share authentication information?

Splunk Employee
Splunk Employee

If all servers happen to have the same $SPLUNK_HOME/etc/auth/splunk.secret file, you don't need to have independent bindDN hashes. But be aware that changing out a splunk.secret file will require changing any other files hashed with that file to match.