Security

Authentication System Priority: LDAP over Splunk?

jchensor
Communicator

I have a situation where I've added users to Splunk via Splunk's local user Authentication System. Afterwards, I've managed to setup LDAP so that Splunk now uses LDAP Authentication.

However, since the users I created manually in the first step have the same usernames as their corresponding LDAP username, when I check the "Users" menu in Splunk's Manager, I'll see that the users' Authentication System defaults to Splunk instead of LDAP. In other words, the local Splunk Authentication System takes priority over the LDAP Authentication System.

Is there any way to SWAP this around? To have the users default to the LDAP Authentication System? I'd prefer they log in using LDAP, but I don't want to delete the local Splunk accounts just to get them to be able to use LDAP, as I may need those accounts again in the future.

Thanks!

  • James
Tags (2)
1 Solution

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

View solution in original post

rathkon
New Member

Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)

https://docs.splunk.com/Documentation/Splunk/4.2.5/Admin/SetupuserauthenticationwithLDAP#Configure_L...

0 Karma

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

jchensor
Communicator

Then, you leave that account alone, but have renamed it essentially. Best part is that if you created saved searches and such with the local "jchen", they now become associated with the LDAP "jchen"! And anytime you have to turn LDAP off for whatever reason, you can re-edit that "passwd" file back from "james_chen" to "jchen".
It's a weird workaround, not one I'd recommend unless absolutely necessary. But it works.

rtadams89
Contributor

Have you tested this? If Splunk is configured for LDAP, users should attempt to authenticate to LDAP first.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...