I resolved the issue after some tinkering around.
Short answer: I had to fix the LDAP connection configuration to look at groups for authentication.
More details:
Somehow, the LDAP connection configuration was modified so that it was looking at individual users not groups (groupMappingAttribute, groupMemberAttribute and groupNameAttribute set to userNameAttribute value.)
Hence it was ignoring all settings assigning roles to the group (in the authentication.conf rolemap).
I am still not clear why Splunk by default assigned every user the admin role but the question is kind of moot now.
Thanks for all your inputs and suggestions.
... View more