Because of some internal measures, we must change some settings within our Splunk installation. For example, we need a strong authentication which I'll provide with an Apache which will authenticate the user based on a client certificate and kerberos auth.
Within Splunk, I use for authentication the LDAP option. Currently, the username is only "user" and not "user@domain". Because of the configuration with the kerberos auth, I must change the usernames to "user@domain".
Now I've created a second LDAP strategy with the modified username value. These modification has the consequence that now each user is double; "user" and "user@domain".
Until now, I've had no problems - authentication with the old and the new user are working fine. The problems are the following:
Is it a good choice to use the FQDN in addition to the username? In the filesystem, the folders are also with the @ character. Is this maybe a problem for the OS/software!?
How can I copy the existing user configurations such as saved searches/reports/dashboards to the new user profiles? I've tried to copy the complete content of the user folder "user" to "user@domain". The curious thing is that not each configuration is visible in the new profile; for example, from 10 saved searches, only 6 are available. Within the savedsearches.conf in the filesystem, I can see the missing configurations. I've already restarted the splunk deamon and executed the refresh function ( https://.../de-DE/debug/refresh ). I've also tried the solution from this thread (https://answers.splunk.com/answers/169872/how-to-copy-savedsearchesconf-from-one-user-to-ano.html). Sadly it has not solved my problem because the "vsid" attribute is not present in my conf file.
Has anyone a idea!?
... View more