I have a handful of Splunk servers. I'm trying to understand, does authentication work like deployed apps? Meaning, if I add a new role/ldap group mapping on the search head cluster master or on the deployment server, should I expect that configuration to replicate to the search heads, indexers, etc?
Or do I need to create that role and mapping on each search head individually?
On Search Head Clusters, you should NOT use "deployment-server" nor by cluster master, but the distributing component to manage Search Head is called as "deployer". So create an app with its authentication.conf and authorize.conf with the details and push it via deployer. It will go into the Search Head members and get's replicated automatically.