We are having LDAP enabled for user management. I add user id in authentication.conf. then run the command splunk reload deploy-server. This command pushes authentication.conf to all pooled Search Head.
How ever users are not able to login.
Only after running 'splunk reload auth' in each SearchHead, user is able to login.
why should i run reload auth in every search head ? Is there any alternative ?
I'm seeing the below note in the link http://docs.splunk.com/Documentation/Splunk/latest/admin/SetupuserauthenticationwithLDAP
but i will have to reload auth when i add new users. Else they are not able to login.
Should i make some other changes?
Note: Splunk automatically checks LDAP membership information when a user attempts to log into Splunk. You do not need to reload the authentication configuration when adding or removing users.
I'm not sure if there is some confusion here.
Within Splunk you map groups to roles. When a user logs in Splunk will check against your LDAP server, whatever groups they are a member of will be checked against the roles available and they will either be allowed to login or not.
You don't need to add user id's through a config this way. If you add a user to Splunk via the config then they are a local user and you will need to reload Splunk. Otherwise the correct way to add a new user is just to add them to the LDAP server and they will then be able to login. (Again, assuming they have membership of a group that is mapped to a role)
I'm not sure if there is some confusion here.
Within Splunk you map groups to roles. When a user logs in Splunk will check against your LDAP server, whatever groups they are a member of will be checked against the roles available and they will either be allowed to login or not.
You don't need to add user id's through a config this way. If you add a user to Splunk via the config then they are a local user and you will need to reload Splunk. Otherwise the correct way to add a new user is just to add them to the LDAP server and they will then be able to login. (Again, assuming they have membership of a group that is mapped to a role)
Yes, the only problem is you are reloading everything through that. You will want to actually find the correct endpoint to reload auth services and only hit that, and I would do it via the web and not the CLI (just so you don't have to ssh to each machine 🙂 ). If you just hit that you will force a reload of everything which will hit performance unnecessarily
Thanks for all your time
I just found that we can reload using the following
./splunk reload auth -uri https://splunkserver:8089/
Oh and another suggestion would be to have specific groups created for each of the teams. Map those groups against the splunk roles and then by default, each time someone joins a team they will have access to those dashboards and you won't need a reload.
hmm, something like, http://SPLUNKSERVER:8000/en-US/debug/refresh?entity=/admin/auth-services may reload the config over the web. I think this will kick people out that are currently logged in. Maybe give that a try? If that works you could just make a shell script or a quick python script that you fire than hits that to reload each time you push out an update
I understand, turnaround time for adding people to LDAP group is very high in my organization. Also there are multiple teams who want to create dashboards and share only with their team members. so creation of roles happen a lot. your suggestions ?
Right, from memory (its been a few months since I've done an LDAP setup) you really should map groups against roles with that config, NOT users. By mapping users against roles you aren't actually gaining many benefits from using LDAP except for the single user account. By mapping groups against roles you will not have to push out a new config each time a new user is added. Instead you add them to the group on your LDAP server, that is the intended method of using this.
Thank you.
We use LDAP authentication but define roles in authorise.conf and use them. We are using ldap for authentication and splunk for access restriction (roles).
Now to map user to splunk defined role, i add them under [roleMap_AD] in authentication.conf as role_name = user id1,user id2,....
Now with this setup, i have to reload in each Search Head. Is there any way i can simplyfy this. We have 10 SH and doing it ten times if not a good idea