I'm new to the Splunk Admin role and have a distributed environment. I have a single search head in a cluster that keeps locking an account out. We use LDAP to authenticate into Splunk and this search keeps attempting log a user in, even when they are not attempting to log in. Any idea how to fix this?
Splunk and LDAP are a finicky beast. The default depth of validation is 1000. Additionally, if a LDAP user is attached to more than one Splunk role, the first one that validates terminates further validation. Meaning, if I have a valid LDAP/AD account, but have more than one Splunk account, the first one wins. Or, if I have both a valid LDAP and Splunk account, but fall beyond the default 1000 search limit, I'll never validate, since Splunk will timeout (by default settings) before finding me.