Security

Why should i run reload auth every time i add users (LDAP enabled)

ma_anand1984
Contributor

We are having LDAP enabled for user management. I add user id in authentication.conf. then run the command splunk reload deploy-server. This command pushes authentication.conf to all pooled Search Head.

How ever users are not able to login.

Only after running 'splunk reload auth' in each SearchHead, user is able to login.

why should i run reload auth in every search head ? Is there any alternative ?

I'm seeing the below note in the link http://docs.splunk.com/Documentation/Splunk/latest/admin/SetupuserauthenticationwithLDAP

but i will have to reload auth when i add new users. Else they are not able to login.

Should i make some other changes?

Note: Splunk automatically checks LDAP membership information when a user attempts to log into Splunk. You do not need to reload the authentication configuration when adding or removing users.

Tags (5)
1 Solution

Drainy
Champion

I'm not sure if there is some confusion here.

Within Splunk you map groups to roles. When a user logs in Splunk will check against your LDAP server, whatever groups they are a member of will be checked against the roles available and they will either be allowed to login or not.

You don't need to add user id's through a config this way. If you add a user to Splunk via the config then they are a local user and you will need to reload Splunk. Otherwise the correct way to add a new user is just to add them to the LDAP server and they will then be able to login. (Again, assuming they have membership of a group that is mapped to a role)

View solution in original post

Drainy
Champion

I'm not sure if there is some confusion here.

Within Splunk you map groups to roles. When a user logs in Splunk will check against your LDAP server, whatever groups they are a member of will be checked against the roles available and they will either be allowed to login or not.

You don't need to add user id's through a config this way. If you add a user to Splunk via the config then they are a local user and you will need to reload Splunk. Otherwise the correct way to add a new user is just to add them to the LDAP server and they will then be able to login. (Again, assuming they have membership of a group that is mapped to a role)

Drainy
Champion

Yes, the only problem is you are reloading everything through that. You will want to actually find the correct endpoint to reload auth services and only hit that, and I would do it via the web and not the CLI (just so you don't have to ssh to each machine 🙂 ). If you just hit that you will force a reload of everything which will hit performance unnecessarily

ma_anand1984
Contributor

Thanks for all your time
I just found that we can reload using the following
./splunk reload auth -uri https://splunkserver:8089/

Drainy
Champion

Oh and another suggestion would be to have specific groups created for each of the teams. Map those groups against the splunk roles and then by default, each time someone joins a team they will have access to those dashboards and you won't need a reload.

0 Karma

Drainy
Champion

hmm, something like, http://SPLUNKSERVER:8000/en-US/debug/refresh?entity=/admin/auth-services may reload the config over the web. I think this will kick people out that are currently logged in. Maybe give that a try? If that works you could just make a shell script or a quick python script that you fire than hits that to reload each time you push out an update

ma_anand1984
Contributor

I understand, turnaround time for adding people to LDAP group is very high in my organization. Also there are multiple teams who want to create dashboards and share only with their team members. so creation of roles happen a lot. your suggestions ?

0 Karma

Drainy
Champion

Right, from memory (its been a few months since I've done an LDAP setup) you really should map groups against roles with that config, NOT users. By mapping users against roles you aren't actually gaining many benefits from using LDAP except for the single user account. By mapping groups against roles you will not have to push out a new config each time a new user is added. Instead you add them to the group on your LDAP server, that is the intended method of using this.

0 Karma

ma_anand1984
Contributor

Thank you.
We use LDAP authentication but define roles in authorise.conf and use them. We are using ldap for authentication and splunk for access restriction (roles).

Now to map user to splunk defined role, i add them under [roleMap_AD] in authentication.conf as role_name = user id1,user id2,....

Now with this setup, i have to reload in each Search Head. Is there any way i can simplyfy this. We have 10 SH and doing it ten times if not a good idea

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...