Hello Splunkers!!
I want us to configure Active Directory in Splunk with LDAP. My Splunk server and domain controller are two different servers on the same network. Please guide me on what steps I need to follow.
1. Shall I open Inbound or outbound port 389 on both the servers ?
2. How to create user and user group in Active directory.
3. After the mapping of LDAP, does it impact the current existing Splunk users ?
4. Please provide me document if anybody performed POC on this already.
Hi @uagraw01,
you should install in an Heavy Forwarder the SA-LDAPSearch app (https://splunkbase.splunk.com/app/1151) and follow the instructions at https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/AbouttheSplunkSupportingAdd-onforActi...
In apps.splunk.com there is another app to do the same thing but I never used it.
Ciao.
Giuseppe
@gcusello Thank you for the response. I have few more ask on this.
1. Can we use LDAP functionality which is present in Splunk setting itself rather any Ldap app or add-on ?
2. We have standalone Splunk server which is based on windows virtual machine.
So its possible a direction connection of Domain controller with Splunk server with splunk LDAP setting ?
What do you want to do with LDAP in Splunk? Typical uses are to authenticate users and to query AD (for users, groups, etc.).
Splunk's LDAP functionality is for authenticating Splunk users. The LDAP add-on allows for querying AD as part of a Splunk search.
Yes, a standalone Splunk server on a Windows VM can connect to a Domain Controller using LDAP, but not under the Free license.
@richgalloway We have a licenced Splunk standalone server.
My Customer want us to configure Active directory to authenticate all the Splunk users.
You do not need an app to use LDAP for authentication. Go to Settings->Authentication methods and select "LDAP". Then click the "Configure Splunk to use LDAP" link. Click the green "New LDAP" button and fill in the form. See https://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureLDAPwithSplunkWeb for details.
After that, you will need to map AD groups to Splunk roles. The same doc tells how to do that.
@richgalloway Thanks for your suggestion.
Does the creation or mapping of the existing users with LDAP will impact on existing reports , dashboards, macros etc created by different users ?
If the users' LDAP names do not match their Splunk account names then all KOs will have to be reassigned to the LDAP account names.
Hi @uagraw01,
answering to your questions:
1)
no, the LDAP functionalities are for user authentication, not to extract LDAP data.
To extract LDAP data you need the add-On
2)
use your stand alone server to install the app.
and if it is possible pass to Linux: Windows is useful for test environments, not for production environments!
Ciao.
Giuseppe
@gcusello We only want to stablish the authentication method. We dont want to monitor any LDAP events.
We only use windows Splunk server even for production.
Hi @uagraw01,
if you want to use the LDAP authentication, you have to
for more details see at https://docs.splunk.com/Documentation/SplunkCloud/latest/Security/ConfigureLDAPwithSplunkWeb
Ciao.
Giuseppe
@gcusello I will surely try this solution.