I see that there is documentation on this topic, but it is very unclear how it should be operating. So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a seperate application. However, this didn't remove the users from my list of splunk users. So I removed one specific user's folder in splunk/etc/users and the user is still not removed the splunk user list in UI. How should all of this functionality be working?
If I remove the user from my LDAP authentication on my seperate app- will that user not be able to log in? Even though they are still listed a splunk user in my Access Controls- User list on the web?
Thanks for the help!
-- So I am using LDAP authentication for Splunk and I removed a large group of users from my LDAP authentication step on a separate application.
What does it mean?
I am assuming that you have removed a group from AD Users and computers. If so, try Load authentication in Splunk GUI on specific Search Head. It will remove the users from Splunk.
If you remove or modify the group or user on the LDAP provider, you need to tell Splunk to reload the authentication using either this REST call
| rest splunk_server=* /services/authentication/providers/services/_reload
or this CLI Splunk command
./splunk _internal call /authentication/providers/services/_reload -auth
This will refresh/reload the LDAP provider information and your removed users/group should be gone.
If the users/group is still visible, check with non-Splunk LDAP tools against the LDAP provider and see what you actually get back.
Hope this helps ...