Security

Can we have Splunk LDAP integration working in LDAP HA setup?

Communicator

Hi All,

We have a primary and a secondary LDAP server that we need to configure with our Splunk instance. If primary LDAP server goes down, we need Splunk to reference and use the secondary backup LDAP instance, in a sort of HA type situation.

Can a single LDAP Strategy in Splunk's authentication support multiple LDAP servers (or config stanzas) in this type of HA scernario?

Also what happens if i have say 3 LDAP stratergies as below and LDAP1 server is down will splunk authentication go down to LDAP2 and LDAP3 to do authentication or it just gives up at LDAP1?
LDAP1 - Priority 1
LDAp2 - Priority 2
LDAP3 - Priority 3

Did not find any recent concrete answer on this topic (could see 4 to 5 year old threads..things would have changed since then) hence submitting new question.

Thank you in Advance!!

0 Karma

Explorer

Yup that must work to put comma separated entries.

alt text

0 Karma

Motivator

Yes, you can handle this scenario directly in Splunk.
In order to configure multiple LDAP servers, you would define them in authentication.conf.
Under the [authentication] stanza, set the authSettings parameter to a comma separated list of your LDAP servers. The order in which they appear is the order of query precedence.

Also worth noting, Splunk will consider a user authenticated upon the first successful LDAP auth. Meaning, if the user successfully authenticates against LDAP server one, then LDAP server two will never be queried. This can be potentially problematic if you have users/groups configured differently on different LDAP servers.

Further documentation: https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Authenticationconf

0 Karma

Communicator

Thank You Codebuilder...will try this configuration and report back if it worked. Wanted to check if you had used/tried out this option?

Also any idea on my question related to multiple LDAP stratergies, what happens when LDAP1 is down Splunk will go to LDAP2 right?

0 Karma

Motivator

Glad to help. Yes I have used it successfully.

And yes to your scenario. If LDAP1 is down the LDAP2 is tried next, assuming it is next in your comma separated list. The order of appearance is the order of precedence.

0 Karma

SplunkTrust
SplunkTrust

For multiple LDAP strategies have a look at doc https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/ConfigureSplunkwithmultipleLDAPservers , they have explained scenario for multiple LDAP strategies but I will strongly advice to test this in your test environment before you move to production.

0 Karma

Communicator

Thanks @harsmarvania57 , i had looked at this, my question was more on multiple LDAP servers within an single strategy. Yes we plan to test out in lower environments before implementing anything in prod.

0 Karma

SplunkTrust
SplunkTrust

My 2cents on this:
try and solve this outside of Splunk by using a load balancer in front of the LDAP servers or use DNS CNAMES, add both servers to it, and use the CNAME as server name in Splunk.
Makes life in case of any troubles much easier to troubleshoot, and you can rely on trusted working techniques to provide HA failover 😉

cheers, MuS

0 Karma

Communicator

Thanks MuS for pointers on this...i presume adding both servers to DNS CNAMES should happen on LDAP end right then we would still use the same CNAME on splunk side...not sure if it impacts any of their existing applications which connect to LDAP for authentication

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!