Getting Data In

Does the Universal Forwarder Support LDAP?

Engager

We use the REST API regularly with several of our Universal Forwarders.

I would like to setup LDAP with all of them so that we can more easily manage who has access to the REST API and also enforce password controls.

I have distributed a TA with our LDAP configs and the password is being hashed and accepted. The Configuration shows up in btool when I run it.

However, when I try and authenticate with an LDAP account the authentication fails. Furthermore, LDAP users do not show up when I query the REST endpoint on:

/services/authentication/users

How do I confirm that LDAP is not running and if it is not, how do I enable it on a Universal Forwarder? Is LDAP handled through cherrypy and is therefore unavailable?

1 Solution

Engager

Found the issue.

Because my splunk.secret file is different for all of these forwarders, my hashed password was not being decrypted correctly. (and therefore the credentials were invalid)

I was able to get LDAP to work by distributing the password in plaintext, then having the forwarders hash it themselves.

In the future I will work to distribute our splunk.secret key to our forwarding infrastructure as well.

For future reference, LDAP is compatible with the Universal Forwarder.

Thanks for your help.

View solution in original post

Engager

Found the issue.

Because my splunk.secret file is different for all of these forwarders, my hashed password was not being decrypted correctly. (and therefore the credentials were invalid)

I was able to get LDAP to work by distributing the password in plaintext, then having the forwarders hash it themselves.

In the future I will work to distribute our splunk.secret key to our forwarding infrastructure as well.

For future reference, LDAP is compatible with the Universal Forwarder.

Thanks for your help.

View solution in original post

Communicator

How did you get this to work? Which files did you have in the TA?

0 Karma

SplunkTrust
SplunkTrust

The Universal Forwarder license doesn't have the LDAPAuth feature, so I assume the modules underneath aren't shipped either.

You could of course deploy Heavy Forwarders, those should be able to do what you need - you may need to make sure they're connected to a valid Enterprise license from your license master though.