All Apps and Add-ons

6.2.2 search head cluster: how to manage roles (authorize.conf), ldap groups (authentication.conf) using deployment server (deployer)

sim_tcr
Communicator

Hello,

We are on splunk 6.2.2 with search clustering. We have 4 search heads. Our search heads are LDAP enabled.
Regularly we have to create new roles and map these new roles to new LDAP security groups.
If we have to do to manually, we end creating new roles in each search head and map the new role to LDAP grpup in $SPLUNK_HOME/etc/system/local/authentication.conf in each search heads.

Is there a way we can push these files to each search heads using deployment server (deployer).

I searched a lot in splunk docs and no where they are explaining how to replicate role and authentication.conf .

Please assist.

Thanks,
Simon Mandy

teunlaan
Contributor

You can use the deployer to sync the settings to your SH cluster, but keep in mind that you CAN'T edit the settings on the SH's itself (the settings won't be synced)

We made an "app" with all these confige files, and let them deploy by the deployer ( apply shcluster-bundle). You only need to set the LDAP password on the SH's once, in a location it won't be replaced by the deployer.

We create auhentication.conf in etc/system/local with only :

[SPLUNK]
bindDNpassword = xxxxxxxxxxxx <just type the password, it will encrypt it at startup>

Rest of the settings is pushed too /etc/apps/baseconfig/default/....

awurster
Contributor
[SPLUNK]
...

i'm not 100% sure but figured i should clarify that the stanza name above "SPLUNK" needs to match whatever stanza name. so in my case i put "ldap-auth" as the stanza name in both files.

this is honestly the best answer i've seen presented so far between the docs and one other answer. the method proposed in the documentation of just simply copying the file over into master apps is not a smart one... it's better to have some automation drop the file in etc/system/local on each system instead.

hopefully splunk can fix this type of settings in the future to be more streamlined like with indexer clustering. setup and maintenance of SHC is way too complicated and not documented strongly enough IMHO.

0 Karma

sim_tcr
Communicator

Thank you for replying.

So here is what I did, I created /apps/splunk/etc/shcluster/apps/baseconfig/local
I placed authorize.conf (with new role) and authentication.conf (with new role vs LDAP group mappings) at above location and then I did
splunk apply shcluster-bundle -target :8089 -auth admin:
The new role got added and the new LDAP group also applied. which is good. However I had set new roles default app as 'search' (default_namespace = search) which did no get applied.

Any thoughts?

0 Karma

teunlaan
Contributor

didn't it get applied for new or existing users?
For new users it should work. Existing users have probably already set the default_namespace, somewhere in the users folder.

Also by pusing it from the deployer, your local files will be merged at the SHs to /default. It could be that there is stall al local setting (in an app) overrulling je config you just deployed

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...