I have a situation where I've added users to Splunk via Splunk's local user Authentication System. Afterwards, I've managed to setup LDAP so that Splunk now uses LDAP Authentication.
However, since the users I created manually in the first step have the same usernames as their corresponding LDAP username, when I check the "Users" menu in Splunk's Manager, I'll see that the users' Authentication System defaults to Splunk instead of LDAP. In other words, the local Splunk Authentication System takes priority over the LDAP Authentication System.
Is there any way to SWAP this around? To have the users default to the LDAP Authentication System? I'd prefer they log in using LDAP, but I don't want to delete the local Splunk accounts just to get them to be able to use LDAP, as I may need those accounts again in the future.
Thanks!
Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.
The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.
Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)
Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.
The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.
Then, you leave that account alone, but have renamed it essentially. Best part is that if you created saved searches and such with the local "jchen", they now become associated with the LDAP "jchen"! And anytime you have to turn LDAP off for whatever reason, you can re-edit that "passwd" file back from "james_chen" to "jchen".
It's a weird workaround, not one I'd recommend unless absolutely necessary. But it works.
Have you tested this? If Splunk is configured for LDAP, users should attempt to authenticate to LDAP first.