Hi folks.
I have a Splunk setup to authenticate by LDAP, and this works reasonably well. Sometimes auth stops working for no apparent reason, and that's when this question becomes interesting.
I can't get the "failsafe" user in LDAP conf to work. Dos this function as intended for anyone? If so, how do i make it work? Currently any attempt to log on as the user listed as failsafe user in the LDAP config just returns the normal authentication failed message.
Any suggestions?
If you recently migrated to version 4.1.x, your failsafe user (as configured in authentication.conf) is disabled. The new failsafe user is "admin" and is accessible from the UI:
Manager >> Access Controls >> Users
The default password is "changeme" and can be changed from the UI as well.
Please detail the version of Splunk you are using, as 4.0 differs from 4.1.
You should check the splunkd.log for why the LDAP authentication fails. If all of the LDAP auth fails, then there is likely a problem with your connectivity to the system. You should ensure that you are not using an alias for the LDAP host and that your LDAP server is not returning referrals.
Additionally, if you manually copied the authentication configuration from another machine then you will need to re-enter the passwords so they are encrypted with the correct key.
Another possible condition is that your failsafe username exists in your LDAP system, thus causing a conflict. You should make sure the failsafe username is unique.
Which version of Splunk are you using? I am currently on 4.1.2 and you can have both local and ldap users in the Splunk system.