Solved: LDAP errors after an employee is replaced and owne...

rcreddy06 · ‎12-31-2015

We have an employee replacement and the saved searches & objects ownership was changed from $SPLUNK_HOME/etc/<app>/metadata/local.meta file and restarted splunkd. All the objects were accessible & reports are running fine under new employee's ID. But I still see LDAP error logs "User not found". He's still in the LDAP. I believe the errors in splunkd is caused by $SPLUNK_HOME/etc/users/<Employee-ID>. If I delete the folder , What is its impact?

jkat54 · ‎12-31-2015

I believe this answers it:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Security/BestpracticeforremovinganLDAPuser

View solution in original post

Raghav2384 · ‎12-31-2015

+1 to jkat's answer...also, if you edit anything in local.meta and save, you don't need a splunk restart. It will refresh eventually or you can trigger

splunk _internal call /authentication/providers/services/_reload -auth admin:password

If the status return is 200, you are good!

Thanks,
Raghav

jkat54 · ‎12-31-2015

Yeah you should probably have a script for hitting this endpoint on every server in your environment and run the script daily and after any role based access changes.

The idea of doing it daily is more of a precaution you MIGHT want to implement. It doesn't hurt anything to hit this endpoint, but unless your company is turning over employees daily, there's probably no need to hit it daily.

jkat54 · ‎12-31-2015

I believe this answers it:

http://docs.splunk.com/Documentation/Splunk/6.2.5/Security/BestpracticeforremovinganLDAPuser

LDAP errors after an employee is replaced and ownerships were edited in $SPLUNK_HOME/etc//metadata/local.meta

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?