Binding Splunk Authentication to AD over LDAPs - cfloquetprojects/homelab GitHub Wiki

Introduction:

• Large organizations strive to adopt a centralized authentication system (usually in the form of Active Directory (AD)) to promote better access control, logging, and cut down on password fatigue.
• While there are a plethora of different authentication options that Splunk offers, we will strictly be covering the integration of Splunk Enterprise authentication with Microsoft AD using LDAPs.
• This will involve the use of TLS certificates from both our Root and Subordinate certificate authorities, the configuration and deployment of which has been covered in previous guides and will not be included in todays' lab.

Resources:

• Splunk Docs: Configure LDAP with Splunk Web
• Hurricane Labs: The Practical User’s Guide for Setting up LDAP in Splunk
• Splunk Conf 2015: Best Practices for Splunk SSL

Pre-Flight Check:

Splunk Authentication Overview:

• Splunk has several options for authentication, the one we will be proceeding with configuring today is Lightweight Domain Access Protocol (LDAP), which will tie into our existing AD identity structure for easier more centralized credentialed access management.
• The LDAP configurations for Splunk are stored in two distinct separate files, authentication.conf and authorize.conf, which can be deployed via an app, or saved within each Splunk Enterprise instance $SPLUNK_HOME/etc/system/local folder.

  💡 For larger deployments, it makes sense to deploy these changes to a fleet of indexers, heavy forwarders, or even search heads by storing these configs in an app which is then pushed from your deployment server, however this will not be covered in today's lab.

• authentication.conf:
  • This file stores the LDAP configuration (including user bind information, target LDAP server, port, etc.)
• authorize.conf
  • This file outlines the different roles within the Splunk Enterprise server, and how they will be mapped to different LDAP (AD) users that are usually already defined.