Security

Authentication System Priority: LDAP over Splunk?

jchensor
Communicator

I have a situation where I've added users to Splunk via Splunk's local user Authentication System. Afterwards, I've managed to setup LDAP so that Splunk now uses LDAP Authentication.

However, since the users I created manually in the first step have the same usernames as their corresponding LDAP username, when I check the "Users" menu in Splunk's Manager, I'll see that the users' Authentication System defaults to Splunk instead of LDAP. In other words, the local Splunk Authentication System takes priority over the LDAP Authentication System.

Is there any way to SWAP this around? To have the users default to the LDAP Authentication System? I'd prefer they log in using LDAP, but I don't want to delete the local Splunk accounts just to get them to be able to use LDAP, as I may need those accounts again in the future.

Thanks!

  • James
Tags (2)
1 Solution

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

View solution in original post

rathkon
New Member

Important: Splunk's built-in system always takes precedence over any external systems. This is the order in which Splunk authenticates a user:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)

https://docs.splunk.com/Documentation/Splunk/4.2.5/Admin/SetupuserauthenticationwithLDAP#Configure_L...

0 Karma

jchensor
Communicator

Yeah, the local user takes precedence. So if there is a local user by the name of "jchen" and "jchen" is also a user in LDAP, you would use the password for the local jchen first.

The convenient thing, however, is that I was advised to modify the "passwd" file found in "$SPLUNK_HOME/etc". That's where the local users are stored and you can do something like rename the line with "jchen" on it to "james_chen" and restart Splunk.

jchensor
Communicator

Then, you leave that account alone, but have renamed it essentially. Best part is that if you created saved searches and such with the local "jchen", they now become associated with the LDAP "jchen"! And anytime you have to turn LDAP off for whatever reason, you can re-edit that "passwd" file back from "james_chen" to "jchen".
It's a weird workaround, not one I'd recommend unless absolutely necessary. But it works.

rtadams89
Contributor

Have you tested this? If Splunk is configured for LDAP, users should attempt to authenticate to LDAP first.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...