Getting Data In

Does the Universal Forwarder Support LDAP?

rengle
Engager

We use the REST API regularly with several of our Universal Forwarders.

I would like to setup LDAP with all of them so that we can more easily manage who has access to the REST API and also enforce password controls.

I have distributed a TA with our LDAP configs and the password is being hashed and accepted. The Configuration shows up in btool when I run it.

However, when I try and authenticate with an LDAP account the authentication fails. Furthermore, LDAP users do not show up when I query the REST endpoint on:

/services/authentication/users

How do I confirm that LDAP is not running and if it is not, how do I enable it on a Universal Forwarder? Is LDAP handled through cherrypy and is therefore unavailable?

1 Solution

rengle
Engager

Found the issue.

Because my splunk.secret file is different for all of these forwarders, my hashed password was not being decrypted correctly. (and therefore the credentials were invalid)

I was able to get LDAP to work by distributing the password in plaintext, then having the forwarders hash it themselves.

In the future I will work to distribute our splunk.secret key to our forwarding infrastructure as well.

For future reference, LDAP is compatible with the Universal Forwarder.

Thanks for your help.

View solution in original post

rengle
Engager

Found the issue.

Because my splunk.secret file is different for all of these forwarders, my hashed password was not being decrypted correctly. (and therefore the credentials were invalid)

I was able to get LDAP to work by distributing the password in plaintext, then having the forwarders hash it themselves.

In the future I will work to distribute our splunk.secret key to our forwarding infrastructure as well.

For future reference, LDAP is compatible with the Universal Forwarder.

Thanks for your help.

cboillot
Contributor

How did you get this to work? Which files did you have in the TA?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

The Universal Forwarder license doesn't have the LDAPAuth feature, so I assume the modules underneath aren't shipped either.

You could of course deploy Heavy Forwarders, those should be able to do what you need - you may need to make sure they're connected to a valid Enterprise license from your license master though.

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...