Wanted to check if any of you have used LDAP only for Authentication and then handled the roles using splunk internal roles management.
Documentation suggests we could do this by doing a config which tricks LDAP to treat each user as LDAP group.
IF you have implemented pls share details, pros and cons if any.
Also , in such imlementation, once the user is deleted in LDAP , then we would have to take care of removing the roles mapped to this deleted user on the splunk end right? If you could share insights on this.
You just have to map the LDAP groups to spunk roles, it works great in my experience. Only down side is if someone is pushing a role/mapping from the SHC Deployer and someone using the SHC GUI to apply/adds roles, this will cause issues and will remove all index access to the role that sees configs from the deployer and the local SHC configs.
its easy to run audits with Splunk rest commands.
Yes I have implemented users to roles directly using Splunk doc link which you have provided, it converts user into group when splunk fetch user info from AD/LDAP which works good to control user level access instead of group level but there are cons.
In short if you have less number of users (<100) then I'll suggest to go with this route otherwise not but it still depends on many factors like SH resources, number of scheduled searches.
Thank you harsmarvania57 for the details , great to hear its been implemented. Ours is SH cluster with 1200+ users & we are asked to work on this approach.
Have below questions, can you please shed more light on them
1) How did you map the users to the roles, is it using rest api or via splunk gui? Hope it is rest api. Also if needed i think we would be able to map the user to role from gui as well right?
2) Once the user is mapped to role, do you call some end point to refresh the authentication ? Hope refresh does not need restart of splunk instance.
On your cons #1 & #2 , is this not the case where we use LDAP groups instead of user as group? Also this delay is caused due to the user to group conversion part is it? How are listing these cons, did you compare?
On #3, if we use REST API, it is enough if we remove on the master and then the changes will be circulated to all the cluster members right?
Also can you please check below question of mine and let me know how you tackle it in your implementation.
Please find below answers
When you use LDAP groups to map with roles it is giving faster auth compare to group to user conversion and act that user as group, I don't have actual benchmark results for this but I have seen delay when we convert user to group.
When you use REST API, you need to fire that REST API on any single SH member in SH Cluster and it will automatically replicate configuration to other members in same SH cluster (I wrote script for this for one of the customer and script was using REST API and it was working fine to provide access but you need to provide access for each and every role(s), For exa. you have 100 roles then it was difficult to provide access to user(s) for all 100 roles, more development was needed for that script but I am no more working for that customer)
For your another question, we were running search to pull all users with roles once a week and ingesting those into summary index and after few hours another search runs on weekly basis to compare last 2 week results and if any users removed from LDAP then that scheduled search sent email to Splunk Admins and then Admin use that script to remove users from authentication.conf
@harsmarvania57 thank you very much for sharing such detailed inputs for each of the questions. Will reach back if i run into any issues with this implementation, please do keep an eye on this thread:). Apologies for delay in reverting back as i have been swarmed by other application issues and this task was off my radar for a while.