I'd like to convert a busy server with a bunch of users from default auth to LDAP. How can I do so without losing any of their saved searches and other data?
You will have to first identify the local auth user ids (./splunk list user). You will then need to modify your saved searches.conf and swap the userid= field in each stanza to be the ldap userid. I would recommend migrating auth to LDAP, creating one saved search as an LDAP user so you can verify that you have the format of the LDAP userid, and then making the changes to the existing saved searches. Once you finish modifying the savedsearches.conf you will need to restart Splunk.
You will have to first identify the local auth user ids (./splunk list user). You will then need to modify your saved searches.conf and swap the userid= field in each stanza to be the ldap userid. I would recommend migrating auth to LDAP, creating one saved search as an LDAP user so you can verify that you have the format of the LDAP userid, and then making the changes to the existing saved searches. Once you finish modifying the savedsearches.conf you will need to restart Splunk.
In versions 4.x, changing the userid field will only change the ownership of shared items. To make sure that private items are also connected to the old user, the contents of the directory $SPLUNK_HOME/etc/users/olduserid
must be copied or moved to $SPLUNK_HOME/etc/users/newuserid
.
The easiest way to identify the local Splunkauth users is to check your $SPLUNK_HOME/etc/passwd file which is in the same format as unix passwd.
Figure out which of these users correspond to which LDAP users.
Then locate your user's savedsearches and swap out the userid field with the corresponding ldap userid.