Splunk Enterprise Security

Will I be able to install and run the Splunk App for Enterprise Security on Linux with an LDAP service account?

brent_weaver
Builder

We are installing Splunk on CentOS Linux in the next week or so. Our service accounts are going to be on an LDAP server. Will I be able to install and run the Splunk App for Enterprise Security with an LDAP service account?

0 Karma

tskinnerivsec
Contributor

Since you are referring to an operating system level account and not one within the Splunk application, you will need to use a samba-client component on your Linux server such as winbind. You will install those components and configure it to participate in Active Directory. This will allow you to create an Active Directory synced account on your operating system. Then you can use that account and follow the Splunk installation procedure for installing with a no privileged account.

tskinnerivsec
Contributor

yes you will. You will be able to use a combination of two splunk configuration files, authentication.conf and authorization.conf to configure ldap authentication for Splunk and create/map splunk roles to security groups in Active Directory. Here are two good references covering the ways Splunk can integrate with Active Directory/LDAP, all at the application level, so it won't matter what operating system you are running it on.

http://blogs.splunk.com/2009/08/13/ldap-auth-configuration-tips/

http://docs.splunk.com/Documentation/ActiveDirectory/1.2.2/DeployAD/ConfiguretheSA-ldapsearchsupport...

0 Karma

brent_weaver
Builder

Hey thank you for your response. I am asking bout the service account at a linux level to install splunk with. So when I install splunk on linux I am not going to use the linux root account, i want to use a splunk account that is on an ldap server. Is this possible and/or even possible?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...