Security

Authentication System Priority: LDAP over Splunk?

jchensor
Communicator

I have a situation where I've added users to Splunk via Splunk's local user Authentication System. Afterwards, I've managed to setup LDAP so that Splunk now uses LDAP Authentication.

However, since the users I created manually in the first step have the same usernames as their corresponding LDAP username, when I check the "Users" menu in Splunk's Manager, I'll see that the users' Authentication System defaults to Splunk instead of LDAP. In other words, the local Splunk Authentication System takes priority over the LDAP Authentication System.

Is there any way to SWAP this around? To have the users default to the LDAP Authentication System? I'd prefer they log in using LDAP, but I don't want to delete the local Splunk accounts just to get them to be able to use LDAP, as I may need those accounts again in the future.

Thanks!

  • James
Tags (2)
1 Solution

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

View solution in original post

rathkon
New Member

Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)

https://docs.splunk.com/Documentation/Splunk/4.2.5/Admin/SetupuserauthenticationwithLDAP#Configure_L...

0 Karma

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

jchensor
Communicator

Then, you leave that account alone, but have renamed it essentially. Best part is that if you created saved searches and such with the local "jchen", they now become associated with the LDAP "jchen"! And anytime you have to turn LDAP off for whatever reason, you can re-edit that "passwd" file back from "james_chen" to "jchen".
It's a weird workaround, not one I'd recommend unless absolutely necessary. But it works.

rtadams89
Contributor

Have you tested this? If Splunk is configured for LDAP, users should attempt to authenticate to LDAP first.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...