Security

Can we have Splunk LDAP integration working in LDAP HA setup?

newbie2tech
Communicator

Hi All,

We have a primary and a secondary LDAP server that we need to configure with our Splunk instance. If primary LDAP server goes down, we need Splunk to reference and use the secondary backup LDAP instance, in a sort of HA type situation.

Can a single LDAP Strategy in Splunk's authentication support multiple LDAP servers (or config stanzas) in this type of HA scernario?

Also what happens if i have say 3 LDAP stratergies as below and LDAP1 server is down will splunk authentication go down to LDAP2 and LDAP3 to do authentication or it just gives up at LDAP1?
LDAP1 - Priority 1
LDAp2 - Priority 2
LDAP3 - Priority 3

Did not find any recent concrete answer on this topic (could see 4 to 5 year old threads..things would have changed since then) hence submitting new question.

Thank you in Advance!!

0 Karma

pavanbmishra
Path Finder

Yup that must work to put comma separated entries.

alt text

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Yes, you can handle this scenario directly in Splunk.
In order to configure multiple LDAP servers, you would define them in authentication.conf.
Under the [authentication] stanza, set the authSettings parameter to a comma separated list of your LDAP servers. The order in which they appear is the order of query precedence.

Also worth noting, Splunk will consider a user authenticated upon the first successful LDAP auth. Meaning, if the user successfully authenticates against LDAP server one, then LDAP server two will never be queried. This can be potentially problematic if you have users/groups configured differently on different LDAP servers.

Further documentation: https://docs.splunk.com/Documentation/Splunk/7.2.6/Admin/Authenticationconf

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

newbie2tech
Communicator

Thank You Codebuilder...will try this configuration and report back if it worked. Wanted to check if you had used/tried out this option?

Also any idea on my question related to multiple LDAP stratergies, what happens when LDAP1 is down Splunk will go to LDAP2 right?

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Glad to help. Yes I have used it successfully.

And yes to your scenario. If LDAP1 is down the LDAP2 is tried next, assuming it is next in your comma separated list. The order of appearance is the order of precedence.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

harsmarvania57
SplunkTrust
SplunkTrust

For multiple LDAP strategies have a look at doc https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/ConfigureSplunkwithmultipleLDAPservers , they have explained scenario for multiple LDAP strategies but I will strongly advice to test this in your test environment before you move to production.

0 Karma

newbie2tech
Communicator

Thanks @harsmarvania57 , i had looked at this, my question was more on multiple LDAP servers within an single strategy. Yes we plan to test out in lower environments before implementing anything in prod.

0 Karma

MuS
SplunkTrust
SplunkTrust

My 2cents on this:
try and solve this outside of Splunk by using a load balancer in front of the LDAP servers or use DNS CNAMES, add both servers to it, and use the CNAME as server name in Splunk.
Makes life in case of any troubles much easier to troubleshoot, and you can rely on trusted working techniques to provide HA failover 😉

cheers, MuS

0 Karma

newbie2tech
Communicator

Thanks MuS for pointers on this...i presume adding both servers to DNS CNAMES should happen on LDAP end right then we would still use the same CNAME on splunk side...not sure if it impacts any of their existing applications which connect to LDAP for authentication

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...