Security

How can I set up LDAP for all my Splunk servers at one time?

cajunitalian
Engager

How can I set up LDAP for all my Splunk servers at one time? Am I going to have to set this up individually on each server or do they sync this config?

SierraX
Communicator

I would handle it with an Orchestration Tool like:

- Puppet
- Chef
- Ansible
- CFEngine

0 Karma

lguinn2
Legend

I like the comment from @jeremiahc4 overall

Also, remember that only the search heads need to have LDAP authentication set up, because those are the only servers where users should be allowed to login.

Users should not be logging into the indexers and so user credentials are not needed on these machines. I generally turn off the GUI on indexers. In an indexer cluster, I definitely turn off the GUI on the indexer peers - even Splunk admins should not be routinely logging-in on indexer peers.

SierraX
Communicator

Login is just possible when a LDAP/AD Group is maped to a Splunk role.
e.g.
In AD are two Groups:
splunk_user
splunk_admin

On SH
splunk_user is mapped to role user
splunk_admin is mapped to role admin

On Indexer/HFw etc
splunk_admin is mapped to role admin

On SH - Users can login... on the others not.

0 Karma

jeremiahc4
Builder

Are you using a Deployment Server, Cluster Master (for index cluster, or Deployer (for search head cluster)?

If so, you can set it up as an app there and distribute it from one of those. The method will vary depending on which one you use.

For instance on our search head cluster, we have an app called org_all_authentication in the etc/shcluster/apps on the Cluster Master server. Inside that file we have an authentication.conf which sets up the LDAP binding and maps the LDAP groups to the Splunk roles.

This app is then applied to the cluster and now we have LDAP authentication.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...