In my splunkd.log, these messages repeat constantly (several times per minute). I turned on INFO-level logging to see if the extra information is useful. This user, "bnorthway", is an OS user (Linux), but not an LDAP user. There also used to be a Splunk (non-LDAP) user, but this account has been deleted.
Why is Splunk trying to find this account on the LDAP server? How can I stop this?
ERROR AuthenticationManagerLDAP - Could not find user="bnorthway" with strategy="<domain>"
ERROR UserManagerPro - Failed to get LDAP user="bnorthway" from any configured servers
INFO UserManagerPro - No user context available while checking capability=, auditInfo=""
If the user bnorthway owns/created any Splunk artifacts ( like scheduled searches, alerts, etc) , you can change the ownership from bnorthway to nobody.
For example: To change the ownership for searches owned/created by bnorthway
Search for the user in local.meta under $SPLUNK_HOME/etc/apps/search/metadata/
replace all occurrences of owner = bnorthway to owner=nobody
As per the documentation, Splunk will check against all configured access strategies. By default, it searches Splunk local users first and then any other strategy configured.
(Ref: http://docs.splunk.com/Documentation/Splunk/latest/Security/ConfigureSplunkToUsePAMOrRADIUSAuthentic... )
Where would I find the configuration that is attempting to find this user?