How can I set up LDAP for all my Splunk servers at one time? Am I going to have to set this up individually on each server or do they sync this config?
I would handle it with an Orchestration Tool like:
- Puppet
- Chef
- Ansible
- CFEngine
I like the comment from @jeremiahc4 overall
Also, remember that only the search heads need to have LDAP authentication set up, because those are the only servers where users should be allowed to login.
Users should not be logging into the indexers and so user credentials are not needed on these machines. I generally turn off the GUI on indexers. In an indexer cluster, I definitely turn off the GUI on the indexer peers - even Splunk admins should not be routinely logging-in on indexer peers.
Login is just possible when a LDAP/AD Group is maped to a Splunk role.
e.g.
In AD are two Groups:
splunk_user
splunk_admin
On SH
splunk_user is mapped to role user
splunk_admin is mapped to role admin
On Indexer/HFw etc
splunk_admin is mapped to role admin
On SH - Users can login... on the others not.
Are you using a Deployment Server, Cluster Master (for index cluster, or Deployer (for search head cluster)?
If so, you can set it up as an app there and distribute it from one of those. The method will vary depending on which one you use.
For instance on our search head cluster, we have an app called org_all_authentication in the etc/shcluster/apps on the Cluster Master server. Inside that file we have an authentication.conf which sets up the LDAP binding and maps the LDAP groups to the Splunk roles.
This app is then applied to the cluster and now we have LDAP authentication.