Security

Removed users from LDAP authentication but didn't remove them from Splunk users

katzr
Path Finder

Hello,

I see that there is documentation on this topic, but it is very unclear how it should be operating. So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a seperate application. However, this didn't remove the users from my list of splunk users. So I removed one specific user's folder in splunk/etc/users and the user is still not removed the splunk user list in UI. How should all of this functionality be working?

If I remove the user from my LDAP authentication on my seperate app- will that user not be able to log in? Even though they are still listed a splunk user in my Access Controls- User list on the web?

Thanks for the help!

0 Karma

brreeves_splunk
Splunk Employee
Splunk Employee

MuS
SplunkTrust
SplunkTrust

Hi katzr,

If you remove or modify the group or user on the LDAP provider, you need to tell Splunk to reload the authentication using either this REST call

 | rest splunk_server=* /services/authentication/providers/services/_reload

or this CLI Splunk command

./splunk _internal call /authentication/providers/services/_reload -auth

This will refresh/reload the LDAP provider information and your removed users/group should be gone.
If the users/group is still visible, check with non-Splunk LDAP tools against the LDAP provider and see what you actually get back.

Hope this helps ...

cheers, MuS

bsuresh1
Path Finder

I am assuming that you have removed a group from AD Users and computers. If so, try Load authentication in Splunk GUI on specific Search Head. It will remove the users from Splunk.

0 Karma

ddrillic
Ultra Champion

-- So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a separate application.

What does it mean?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...