I am using TFTI agent with a splunk script to get user authentication. I use the "usermapping.py" file to map the user requesting access through the TFTI client to the role the user is assigned to have. I am using the "passwd" file to map the user to the display name. I have changed the pamscripted.py file to look for the passwd file in ~/etc/system/local and to get the user info like this.
def getUsers( infoIn 😞
# just going to use /etc/passwd here but you may use any method you wish.
FILE = open("/opt/splunk/etc/system/local/passwd" ,"r")
fileLines = FILE.readlines()
All is working fine and only authenticated users that are in the usermapping.py file are granted access and are restricted to there role.
Here is my problem. Only the first 50 users show up in the Splunk Web as scripted users and only the first 50 users can see their saved reports/alerts/dashboards.
The users can save the work and call it with the link but they can not select it or see it in the Splunk Web.
Any help would be great
We started using scripted authentication in 4.1 and are now at 6.5
I don't know when this limitation was introduced.
Any ideas help would be greatly appreciated.
Users private knowledge objects should be stored under /opt/splunk/etc/users/ directory.
If Splunk Web does not seem to be able to list some users and their knowledge objects, it could indicate an issue at this level?
Are you able to check if that directory exists on the filesystem for one of the user that is subject to the problem?
Taking a saved search for example (still for one user with the problem), can you find in which configuration file it is residing using btool:
/opt/splunk/bin ./splunk btool --debug savedsearches list "<savedsearch>"
Another idea could be to run a the following SPL rest:
| rest /services/authentication/users
Eventually you could get an error message that could help find the issue.
Finally I would suggest searching _internal logs for errors. Users and saved searches panels are populated using rest api calls, so you may see errors in there that could help too.
A last one, if possible: temporarily remove one of the 50 first users and see if user 51 (now 50) behaves properly.
According your situation, I guess is the user-limit in splunk web ?
I have searched the splunk doc to find some instructions about the user's number setting.
Hope well.
https://docs.splunk.com/Documentation/Splunk/6.6.0/Admin/Limitsconf