Security
Highlighted

Removed users from LDAP authentication but didn't remove them from Splunk users

Path Finder

Hello,

I see that there is documentation on this topic, but it is very unclear how it should be operating. So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a seperate application. However, this didn't remove the users from my list of splunk users. So I removed one specific user's folder in splunk/etc/users and the user is still not removed the splunk user list in UI. How should all of this functionality be working?

If I remove the user from my LDAP authentication on my seperate app- will that user not be able to log in? Even though they are still listed a splunk user in my Access Controls- User list on the web?

Thanks for the help!

0 Karma
Highlighted

Re: Removed users from LDAP authentication but didn't remove them from Splunk users

Ultra Champion

-- So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a separate application.

What does it mean?

0 Karma
Highlighted

Re: Removed users from LDAP authentication but didn't remove them from Splunk users

Explorer

I am assuming that you have removed a group from AD Users and computers. If so, try Load authentication in Splunk GUI on specific Search Head. It will remove the users from Splunk.

0 Karma
Highlighted

Re: Removed users from LDAP authentication but didn't remove them from Splunk users

SplunkTrust
SplunkTrust

Hi katzr,

If you remove or modify the group or user on the LDAP provider, you need to tell Splunk to reload the authentication using either this REST call

 | rest splunk_server=* /services/authentication/providers/services/_reload

or this CLI Splunk command

./splunk _internal call /authentication/providers/services/_reload -auth

This will refresh/reload the LDAP provider information and your removed users/group should be gone.
If the users/group is still visible, check with non-Splunk LDAP tools against the LDAP provider and see what you actually get back.

Hope this helps ...

cheers, MuS

Highlighted

Re: Removed users from LDAP authentication but didn't remove them from Splunk users

Splunk Employee
Splunk Employee