Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Admin Other
- :
- Security
- :
- Re: Authentication System Priority: LDAP over Splu...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a situation where I've added users to Splunk via Splunk's local user Authentication System. Afterwards, I've managed to setup LDAP so that Splunk now uses LDAP Authentication.
However, since the users I created manually in the first step have the same usernames as their corresponding LDAP username, when I check the "Users" menu in Splunk's Manager, I'll see that the users' Authentication System defaults to Splunk instead of LDAP. In other words, the local Splunk Authentication System takes priority over the LDAP Authentication System.
Is there any way to SWAP this around? To have the users default to the LDAP Authentication System? I'd prefer they log in using LDAP, but I don't want to delete the local Splunk accounts just to get them to be able to use LDAP, as I may need those accounts again in the future.
Thanks!
- James
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.
The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.
The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then, you leave that account alone, but have renamed it essentially. Best part is that if you created saved searches and such with the local "jchen", they now become associated with the LDAP "jchen"! And anytime you have to turn LDAP off for whatever reason, you can re-edit that "passwd" file back from "james_chen" to "jchen".
It's a weird workaround, not one I'd recommend unless absolutely necessary. But it works.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tested this? If Splunk is configured for LDAP, users should attempt to authenticate to LDAP first.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
