Hello,
I see that there is documentation on this topic, but it is very unclear how it should be operating. So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a seperate application. However, this didn't remove the users from my list of splunk users. So I removed one specific user's folder in splunk/etc/users and the user is still not removed the splunk user list in UI. How should all of this functionality be working?
If I remove the user from my LDAP authentication on my seperate app- will that user not be able to log in? Even though they are still listed a splunk user in my Access Controls- User list on the web?
Thanks for the help!
Here's a docs article on that exact topic:
https://docs.splunk.com/Documentation/Splunk/6.6.3/Security/BestpracticeforremovinganLDAPuser
Hi katzr,
If you remove or modify the group or user on the LDAP provider, you need to tell Splunk to reload the authentication using either this REST call
| rest splunk_server=* /services/authentication/providers/services/_reload
or this CLI Splunk command
./splunk _internal call /authentication/providers/services/_reload -auth
This will refresh/reload the LDAP provider information and your removed users/group should be gone.
If the users/group is still visible, check with non-Splunk LDAP tools against the LDAP provider and see what you actually get back.
Hope this helps ...
cheers, MuS
I am assuming that you have removed a group from AD Users and computers. If so, try Load authentication in Splunk GUI on specific Search Head. It will remove the users from Splunk.
-- So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a separate application.
What does it mean?