< Back |Home| Next >
Configuring Ldap authentication in splunk :-

Managing users and their access to splunk collected logs is very important aspect of access control to avoid unauthorized access to sensitive data/logs. You can add users to splunk by using following three methods. Most commonly used approach is LDAP or commonly called AD authentication. As in any Enterprise active directory is used for user management. We can use existing AD configuration to add and manage/update users in splunk. Below we will see step by step AD authentication configuration in splunk.
Authentication methods supported by splunk:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)
Splunk AD authentication configuration:
Before adding AD authentication to splunk following things should be already setup
Prerequisites for AD authentication:
1. Active Directory domain is set up
2. created records in DNS for ldap.example.com.
3. An Enterprise CA in our Active Directory, and all our domain controllers have certificates.
Steps by step configuration:
1. logon to Splunk and then select the Manager link in the upper right and then click on authentication method
Authentication methods supported by splunk:
1. Splunk built-in authentication
2. LDAP authentication (if enabled)
3. Scripted authentication (if enabled)
Splunk AD authentication configuration:
Before adding AD authentication to splunk following things should be already setup
Prerequisites for AD authentication:
1. Active Directory domain is set up
2. created records in DNS for ldap.example.com.
3. An Enterprise CA in our Active Directory, and all our domain controllers have certificates.
Steps by step configuration:
1. logon to Splunk and then select the Manager link in the upper right and then click on authentication method
2. Click on radio button in front of LDAP and then click “Configure Splunk to work with LDAP
3. Now you will get main LDAP strategy configuration settings page. Following are the main AD items that you need to enter here –
a. LDAP connection settings – based on connection settings Splunk will talk to AD.
LDAP strategy name: just a name.
You can have multiple LDAP strategies such as – (i)strategy one for ready only access through an AD Group mapping to Splunk roles (user & power user), (ii)strategy two for full access through another AD Group mapping to other Splunk roles (Admin, Splunk-system-role) or similar.
Default Splunk roles are – admin, can_delete, power, splunk-system-role, user.
Port number: 389 (this is AD LDAP default)
Connection order: default
Bind DN: cn= AcctName Splunk,ou=yourSvcAcctOU,dc=yourDCName,dc=yourDCExtension
This is distinguished name of your Splunk account that you created in AD. It is recommended you should not use default AD administrator account or your own AD login here. You should create a dedicate account for Splunk – no AD administrative privilege required on this account.
Bind DN Password: enter the password of AD Splunk account
a. LDAP connection settings – based on connection settings Splunk will talk to AD.
LDAP strategy name: just a name.
You can have multiple LDAP strategies such as – (i)strategy one for ready only access through an AD Group mapping to Splunk roles (user & power user), (ii)strategy two for full access through another AD Group mapping to other Splunk roles (Admin, Splunk-system-role) or similar.
Default Splunk roles are – admin, can_delete, power, splunk-system-role, user.
Port number: 389 (this is AD LDAP default)
Connection order: default
Bind DN: cn= AcctName Splunk,ou=yourSvcAcctOU,dc=yourDCName,dc=yourDCExtension
This is distinguished name of your Splunk account that you created in AD. It is recommended you should not use default AD administrator account or your own AD login here. You should create a dedicate account for Splunk – no AD administrative privilege required on this account.
Bind DN Password: enter the password of AD Splunk account
b. User Settings – Splunk will look for users in AD based on this
User base DN: dc=yourDCName,dc=yourDCextension
User base filter: leave this blank or you can enter specific AD search filter here
User name attribute: samaccountname
Real name attribute: displayname
Group mapping attribute: dn
User base DN: dc=yourDCName,dc=yourDCextension
User base filter: leave this blank or you can enter specific AD search filter here
User name attribute: samaccountname
Real name attribute: displayname
Group mapping attribute: dn
c. Group settings – Splunk will look for AD groups in AD based on this
Group base DN: cn=Group_Splunk_Access_Admins,ou=youGroupOUName,dc=yourDCName,dc=DCextension
This is the AD group that been created to grant access in Splunk.
Static member attribute: member
Group base DN: cn=Group_Splunk_Access_Admins,ou=youGroupOUName,dc=yourDCName,dc=DCextension
This is the AD group that been created to grant access in Splunk.
Static member attribute: member
d. Dynamic group settings – optional
e. Advanced settings – default is ok; however you can increase search request size limit.
Screenshot –
e. Advanced settings – default is ok; however you can increase search request size limit.
Screenshot –
1. Click on the “Save”. If entered parameters are not correct – you won’t be able to save.
2. Now you should be able to see your LDAP strategy. Make sure it is enabled.
3. To see your AD group in Splunk, click on “Map groups”.
To map Splunk role(s) to an AD group – click on “Map groups > AD Group Name > available and selected roles”; screenshots –
2. Now you should be able to see your LDAP strategy. Make sure it is enabled.
3. To see your AD group in Splunk, click on “Map groups”.
To map Splunk role(s) to an AD group – click on “Map groups > AD Group Name > available and selected roles”; screenshots –
- Also you should be able to see AD users at “Settings > Access controls >Users”. Make sure AD users are member of the Splunk group that been created on AD.
- That’s all Your AD authentication is ready now and users from AD whose group mapped in splunk can login to splunk.
- That’s all Your AD authentication is ready now and users from AD whose group mapped in splunk can login to splunk.
Comment Box is loading comments...