Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Edit authentication.conf via CLI

saranya_fmr
Communicator
‎07-03-2017 06:38 AM

I want to change the ldap account adn its password on all the SHs via CLI.

I tried changing the ldap account and password via a script to edit/relace the account and password , and then restarted Splunk.

But this doesn't seem to work.

After I did that , I see that there's no Authentication method at all in the Splunk SH UI like below:
alt text

After I select LDAP method I see the two accounts without any AD accounts mapped

alt text

How do I to edit the authentication.conf file with new ldap account and password without any breakage like above??

Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

sbbadri
Motivator
‎07-17-2017 01:25 PM

our need to create a separate app for Authentication say all_auth.

Deployer:

$SPLUNK_HOME/etc/shcluster/apps/all_auth/local

authentication.conf - only your role mapping like below
[roleMap_ldap_sssd]
role_user_group = ad_group1

authorize.conf - copy authorize.conf from $SPLUNK_HOME/etc/system/local/authorize.conf from one of search head from the cluster.

Search head:

$SPLUNK_HOME/etc/system/local

authentication.conf - only ldap configuration settings.
authorize.conf - there should not be any authorize.conf. Rename authorize.conf to something else

Go to deployer's $SPLUNK_HOME/bin and execute this command ./splunk apply shcluster-bundle -target https://search_head_captain's-ip:8089 -preserve-lookups true

Once pushed check all search head in the cluster should all_auth folder. Then go to GUI splunk instance under settings->access control-> ldap settings->map groups-> all role you have created should be present.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-03-2017 06:47 AM

This seems .. unlikely .. I would suspect something unanticipated in your editing of the file.

  1. I have edited authentication.conf many times directly via the CLI and had no issues like this, especially after a restart. (It is possible to reload most authentication.props properties w/o a restart via the REST API but that is a little off topic for here)
  2. Authentication.conf (like all other conf files) is subject to btool's merging rules across apps. Make certain you are editing the right authentication.conf file(s) to affect your change.

I think more information is needed (like a before and after of the file itself) before we can give great guidance on what went wrong.

0 Karma
Reply

saranya_fmr
Communicator
‎07-03-2017 07:11 AM

Hi @dwaddle

All I did was a script to replace the ldap account and its password.

The file has got replaced with accountname and password but the password has not got encrypted after the splunk restart:

auth.conf Before
[lassie_np_ldap]
sslenabled = 1
anonymous_referrals = 1
binddn = cn=ezp_splunk_ldap,OU=ServiceAccounts,DC=im,DC=tcsco,DC=com
binddnpassword = $1$Hx+uKRbWP/f3
charset = utf8
emailattribute = mail
groupbasedn = OU=FIMT_Managed,OU=Groups,DC=im,DC=tcsco,DC=com
groupbasefilter = (|(cn=FIMT-LASSIE-) (cn=FIMTMON_))
groupmappingattribute = dn
groupmemberattribute = member
groupnameattribute = cn
host = ldapserver.tcsco.com
nestedgroups = 0
network_timeout = 20
port = 636
realnameattribute = displayname
sizelimit = 1000
timelimit = 15
userbasedn = DC=im,DC=tcsco,DC=com
userbasefilter = (objectclass=*)
usernameattribute = samaccountname

auth.conf After:
[lassie_np_ldap]
sslenabled = 1
anonymous_referrals = 1
binddn = cn=ezp_splunk_ldap_dev,OU=ServiceAccounts,DC=im,DC=tcsco,DC=com
binddnpassword = N3F1vSvt
charset = utf8
emailattribute = mail
groupbasedn = OU=FIMT_Managed,OU=Groups,DC=im,DC=tcsco,DC=com
groupbasefilter = (|(cn=FIMT-LASSIE-) (cn=FIMTMON_))
groupmappingattribute = dn
groupmemberattribute = member
groupnameattribute = cn
host = ldapserver.tcsco.com
nestedgroups = 0
network_timeout = 20
port = 636
realnameattribute = displayname
sizelimit = 1000
timelimit = 15
userbasedn = DC=im,DC=tcsco,DC=com
userbasefilter = (objectclass=*)
usernameattribute = samaccountname

Im using $SPLUNK_HOME/splunk/etc/system/local/authentication.conf" on all the SHs to make the changes.

0 Karma
Reply

dwaddle
SplunkTrust
SplunkTrust
‎07-07-2017 06:26 AM

So, are the above your whole authentication.conf? There's some things missing. Like I would expect to see:

[authentication]
authSettings = lassie_np_ldap
authType = LDAP

Or something similar .. also a 

[rolemap_lassie_np_ldap]

section that specifies the role mappings. As @SloshBurch said prior, "use btool" 🙂

Reply

saranya_fmr
Communicator
‎07-12-2017 09:58 AM

Hi @dwaddle ,

I figured out that it was my python script that was causing the problem. It was modifying the file in a fashion that we couldnt figure out all although the contents looked fine.
Thankyou for your support.

However I had another query,
how do we push the config changes for the authentication.file via the deployer to the SHs?

Doesn't shcluster apply bundle push the changes from $SPLUNK_HOME/splunk/etc/shcluster to the SHs?

However the authentication.file is located at $SPLUNK_HOME/splunk/etc/system/local right?

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎07-17-2017 01:15 PM

Also, @saranya_fmr, please be aware that the conf file does not HAVE to live in $SPLUNK_HOME/system/local/. Your config can (and should) live in an app so it can be centrally controlled and deployed.

This is a great page on the topic: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

If you want to learn more, the Admin and Clustering edu classes should be great.

0 Karma
Reply

sbbadri
Motivator
‎07-12-2017 11:29 AM

Your need to create a separate app for Authentication say all_auth.

Deployer:

$SPLUNK_HOME/etc/shcluster/apps/all_auth/local

authentication.conf - only your role mapping like below
[roleMap_ldap_sssd]
role_user_group = ad_group1

authorize.conf - copy authorize.conf from $SPLUNK_HOME/etc/system/local/authorize.conf from one of search head from the cluster.

Search head:

$SPLUNK_HOME/etc/system/local

authentication.conf - only ldap configuration settings.
authorize.conf - there should not be any authorize.conf. Rename authorize.conf to something else

Go to deployer's $SPLUNK_HOME/bin and execute this command ./splunk apply shcluster-bundle -target https://search_head_captain's-ip:8089 -preserve-lookups true

Once pushed check all search head in the cluster should all_auth folder. Then go to GUI splunk instance under settings->access control-> ldap settings->map groups-> all role you have created should be present.

0 Karma
Reply

sbbadri
Motivator
‎07-03-2017 07:35 AM

Please check you have proper file read/write permission on authentication.conf

0 Karma
Reply

sloshburch
Splunk Employee
Splunk Employee
‎07-06-2017 10:16 AM

"On all Search Heads" is this in a Search Head Cluster? Directly editing the conf files in a SHC could break the cluster.

I agree that you need to check with btool, not the conf file, to see what's up. Sometimes the hashed version of the password ends up getting stored in another conf file and you wouldn't see it until you comment out the one being loaded and see what else is potentially loaded.

0 Karma
Reply
Get Updates on the Splunk Community!

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...

Explore the Latest Educational Offerings from Splunk (November Releases)

At Splunk Education, we are committed to providing a robust learning experience for all users, regardless of ...

New This Month in Splunk Observability Cloud - Metrics Usage Analytics, Enhanced K8s ...

The latest enhancements across the Splunk Observability portfolio deliver greater flexibility, better data and ...