Which Splunk instance should be chosen for LDAP authentication?


I was wondering what the best practice is when choosing where to configure LDAP authentication. I'm just not sure which instance.

I currently have a 10 VM environment separated as:

  • 1 Deployment Server
  • 1 Master Node + 3 Indexers
  • 1 Cluster Master + 2 Search heads
  • 2 Universal Forwarders
0 Karma


I'm going to combine the approaches of @woodcock and of @SloshBurch.

[1] Every Splunk server gets the same authentication app (except forwarders because read below)
[2] All indexers have the Splunk Web UI disabled, so only search heads, deployment servers, and other infrastructure nodes are log-in-able (except via REST API)
[3] UFs have the REST API port disabled entirely - manage them via configuration management and you'll never need to log in.

If I'm in a highly secure environment, I might deploy different authorization (not authentication but authorization) for my DS and CM and so forth so that my "most basic generic user role" (might be user, might not be?) has practically no access at all via that node. Sure they can authenticate, but they can't do anything;.

Ultra Champion

oooo. I like. Lazy question: what setting do you use for disabling REST API on forwarders? Feel free to call me out and say I should just read the docs...I would deserve it 😉

0 Karma

is that mean , if indexer have the UI enable, i not able to setup ldap?

caz i notice problem ldap setup in indexer ui

Access controls » Authentication method » LDAP strategies - ldap strategy but
i cant Map groups under Actions
in Searchhead/Deployment server all working but not in indexer ui.

0 Karma

Ultra Champion

Make sure the password is correct in the LDAP strategy and then restart to get it to hash again. Also, check your _internal events for correlating error messages.

If that still doesn't resolve, open a support case cause you might need someone to work with you in real time to find exactly what config is wrong.

0 Karma


Ultra Champion

Ha ha. Thanks for that. I appreciate that the author kept it minimal. For anyone looking for just that setting:


disableDefaultPort = true|false
* If true, turns off listening on the splunkd management port
  (8089 by default)
* This setting is not recommended:
  * This is the general communication path to splunkd.  If it is disabled,
    there is no way to communicate with a running splunk.
  * This means many command line splunk invocations cannot function,
    splunkweb cannot function, the REST interface cannot function, etc.
  * If you choose to disable the port anyway, understand that you are
    selecting reduced Splunk functionality.
* Default value is 'false'.
0 Karma

Ultra Champion

I am a fan of creating an authentication app that gets deployed everywhere. I do that because I also disable the passwd file in $SPLUNK_HOME/etc/passwd. The result is that only authenticated users can access splunkd on any splunk instance (even forwarders). This ensures that I have an audit of access and changes to the instances as best as splunk can do it.

Esteemed Legend

Users only get to log into the Search Head. I would manually create local admin users on the other nodes.


Where do these users need to login? If you are giving them access to just perform searches then typically you would just configure ldap authentication on the search head cluster.