Splunk Enterprise offers a great solution for anyone that has legal or compliance reasons requiring an on-premise setup. It’s very useful for developers that would like to do testing in a locally destructive fashion. One of the keys to creating an easy to maintain environment is getting authentication and authorization right. In my case, the vast majority of users belong to a shared Active Directory(AD) Domain.
Splunk Enterprise does offer its own store of users. The reason for managing them with AD is that when people require access changes(leaving/joining teams/the company) having them all in one place makes this much simpler. Particularly if other systems already use this as a point of reference.
There are many sites that reference configuring Splunk Enterprise for AD authentication/authorization. I haven’t found any that go into enough detail to make it simple. I’ve attempted to do that below.
LDAP Configuration for User Roles
- Click Settings
- Under USERS AND AUTHENTICATION, Click Access controls
Click Authentication Method
Under External select LDAP
Click LDAP Settings
Pro Tip: Make sure the Group base DN for groups points to an OU with all the groups rather than the root
Make sure the user base DN is the root of AD
- To Map Groups
- Under Actions Click Map Groups
- You can click any group from the group base dn you provided
- Then you can select the roles that a given AD Group will have