• How Splunk Works
  • Overview of Splunk
    • Configuration options
    • Installation and upgrade
    • Data sources
    • Indexing
    • Fields
    • Search
    • Security
    • Data management
    • Deployment server
    • Performance tuning
    • Configuration files
    • Applications
    • Customization
    • Troubleshooting
• Getting Started
  • Start Splunk
    • Before you start
    • Start Splunk on non-Windows platforms
    • Start Splunk on Windows
    • Load Splunk Web in your browser
  • Administration basics
    • Add Splunk to your shell path
    • Splunk's CLI
    • Start/stop Splunk, check status
    • Help
  • Change defaults
    • Changing the admin default password
    • Changing network ports
    • Changing the default Splunk server name
    • Changing the datastore location
    • Set minimum free disk space
  • Find and index data
    • Add Data
    • Monitor a file
    • Crawl for inputs
  • Add more users
    • Splunk local users
    • Examples
  • Start searching
• Data Inputs
  • How input configuration works
    • Data input methods
    • Sources
    • Windows data sources
    • Crawl
    • Data processing
  • Files and directories
    • Splunk Web
    • CLI
    • Inputs.conf
  • Network ports
    • Splunk Web
    • CLI
    • inputs.conf
  • FIFO
    • Splunk Web
    • CLI
    • inputs.conf
  • Scripted inputs
    • Configuration
    • Example
  • Whitelist and blacklist rules
    • Whitelist (allow) files
    • Blacklist (ignore) files
    • Verify your lists
  • Crawl
    • Configuration
    • Example
  • Windows inputs
    • Configure indexing for Windows event logs
    • Configure Windows registry monitoring input
  • Windows Management Interface (WMI) input
    • Security and remote access considerations
    • Configure WMI input
    • Fields for WMI data
  • Windows registry input
    • How it works
    • Get a baseline snapshot
    • What to consider
    • Configure Windows registry input
• Data Distribution
  • How data distribution works
    • Forwarding
    • Routing
    • Cloning
    • Data balancing
    • Target groups
    • Security
    • Send to 3rd party systems
    • Distributed search
    • Configuration files for data distribution
  • Enable forwarding and receiving
    • Receiving
    • Forwarding
    • Lightweight forwarding
  • Configure target groups in outputs.conf
    • Configuration
    • Example
  • Set up routing
    • Configuration
    • Basic example
    • Advanced example
  • Route specific events to different queues
    • Configuration
    • Example: Send matching events to nullQueue
    • Example: Send matching events to indexQueue, everything else to nullQueue
  • Route specific events to an alternate index
    • Configuration
    • Example
  • Set up SSL
    • Forwarder
    • Receiver
  • Enable cloning
  • Set up data balancing
    • Configuration
    • Example
  • Route data to third-party systems
    • Configuration
    • Example
• Indexing
  • How indexing works
    • How events work
    • How segmentation works
  • Index multi-line events
    • Configuration
    • Examples
  • Configure segmentation
    • Splunk Web segmentation
  • Configure custom segmentation for a host, source, or source type
    • via props.conf
    • Example
  • Mask sensitive data in an event
    • Configuration
  • Configure character set encoding
    • Supported character sets
    • Manually specify a character set
    • Automatically specify a character set
    • If Splunk doesn't recognize a character set
  • Dynamic metadata assignment
    • Configuration
    • Set values with a script
• Timestamps
  • How Splunk extracts timestamps
    • Precedence rules for timestamp assignment
    • Configure timestamps
  • Configure timestamp extraction
    • Configure timestamp extraction in props.conf
    • Enhanced strptime() support
    • Examples
  • Apply timezone offsets
    • Configure timezone offsets in props.conf
    • zoneinfo (TZ) database
    • Configure timezone offsets for Splunk versions before 3.2
  • Recognize European date format
    • Configure European date format in literals.conf
    • Use the timeformat modifier
  • Configure positional timestamp extraction
    • Configure positional timestamp extraction in props.conf
  • Tune timestamp extraction for better indexing performance
    • Adjust timestamp lookahead
    • Turn off the timestamp processor
  • Train Splunk to recognize a timestamp
    • Steps to configure timestamps with train dates
    • Run the train dates command
    • Create a custom datetime.xml
    • Edit your local props.conf
• Fields
  • How fields work
    • Indexed vs. extracted fields
    • Configure fields
    • Disable automatically extracted fields
    • Configuration files for fields
  • Create indexed fields via configuration files
    • Configuration
    • Example
  • Create extracted fields via configuration files
    • Configuration
    • Example
    • Extract fields from multi-line events
  • Create extracted fields via Splunk Web
  • Field actions
    • Configuration
    • Example
  • Configure fields.conf
    • Configuration
  • Configure multi-value fields
    • Configure multi-value fields via fields.conf
    • Example
  • Configure tags
    • Configure tags via tags.conf
    • Examples
  • Automatic header-based field extraction
    • How automatic header-based field extraction works
    • Configure automatic header-based field extraction
    • Note about search and header-based field extraction
    • Examples
• Hosts
  • How host works
    • How host is assigned
    • Host tagging
    • Configuration files for host
  • Set default host for a Splunk server
    • via Splunk Web
    • via configuration files
  • Define host assignment for an input
    • Statically
    • Dynamically
  • Tag hosts
    • via Splunk Web
    • Host tags vs host names
  • Extract host per event
    • Configuration
    • Example
• Source Types
  • How source types work
    • Source vs source type
    • How Splunk can set sourcetype field values
    • How Splunk applies source type values (precedence)
    • Configuration files for source types
  • Rule-based association of source types
    • Configuration
    • Examples
  • Set source type for an input
    • via Splunk Web
    • via configuration files
  • Set source type for a source
    • via configuration files
  • Train Splunk to recognize a source type
    • via the CLI
  • Source type settings in props.conf
  • Configure a source type alias
• Event Types
  • How event types work
    • Events versus event types
    • Event type classification
    • Event type discovery
    • Create new event types
    • Event type tags
    • Configuration files for event types
  • Save event types via Splunk Web
    • Configuration
  • Configure eventtypes.conf
    • Configuration
    • Example
    • Disable event types
  • Tag event types
    • Configuration
  • Event type discovery
    • Configure event types
  • Event type templates
    • Configuration
    • Example
  • Dynamic event rendering
    • How dynamic event rendering works
    • Configure dynamic event rendering
    • Example
• Transaction Types
  • How transaction types work
    • Define transactions
    • Sample use cases
  • Transaction types via configuration files
    • Configuration
    • Example
  • Transaction search
    • Transactions and macro search
• Search
  • How search works
    • Saved searches
    • Alerting
    • Live tail
    • Summary indexing
  • Set up saved searches
    • via Splunk Web
  • Set up saved searches via savedsearches.conf
    • Configuration
    • Example
  • Set up alerts via Splunk Web
    • Set up an alert
    • Specify which fields to show
  • Set up alerts via savedsearches.conf
    • alerting options
    • display options
    • Script options
    • Example
  • Customize alert options
    • Configuration
    • Example
  • Create a form search
    • Form searches with fields
    • Form searches with predefined values
    • Share your form search
  • Macro searches
    • Configure a macro search
  • Configure summary indexing
    • Summary indexing and license volume
    • Manually configure summary indexing
  • Live tail
    • Use live tail in Splunk Web
    • The live tail interface
    • Start live tail from the Splunk CLI
    • Current limitations
  • Send syslog events
    • Configuration
    • Example
  • Send SNMP traps
    • Configuration
    • Configure your alert to call a shell script
• Distributed Search
  • How distributed search works
    • Known issues with distributed search
  • Enable distributed search via Splunk Web
  • Enable distributed search via the CLI
    • Configuration
  • Configure distributed search via distsearch.conf
    • Configuration
    • Example
  • Exclude specific Splunk servers from distributed searches
• Security
  • Security options
    • Authentication
    • Audit
  • Enable HTTPS
    • Configuration
    • Certificates
  • SSL
    • Configuration
  • Configure roles
    • Configuration
    • Example
  • Set up LDAP
    • Configure LDAP
    • Example
    • Convert saved searches to LDAP
    • Known issues with LDAP
  • Scripted authentication
    • Known issues with scripted authentication
    • Configuration
    • Script commands
  • File system change monitor
    • How the file system change monitor works
    • Configure the file system change monitor
  • Audit events
    • Audit event composition
    • Audit event generation
    • Audit event storage
    • Audit event processing
    • Search for audit events
  • Audit event signing
    • How audit event signing works
    • Configure audit event signing
  • Event hashing
    • How event hashing works
    • Event hashing in search results
    • Configure custom decorations for Splunk Web
    • Configure event hashing
    • Configure filtering
  • IT data signing
    • How IT data signatures work
    • Configure IT data signing
    • View the integrity of IT data
    • Performance implications
  • Archive signing
    • How archive signing works
    • Verify archived data signatures
    • Configure coldToFrozen scripts
    • Sign or verify your data slices
• Data Management
  • Splunk data management
    • Index management
    • Configuration files for index management
  • Create an index
    • via Splunk Web
    • via Splunk's CLI
    • via indexes.conf
    • Delete an index
  • Remove (delete) data
    • Remove event data from an index
    • Remove global data
    • Remove user data
    • Remove all data
    • Remove events from search results
  • Export event data
    • via the CLI
    • via Splunk Web
  • Move an index
    • Configuration
  • Set a retirement and archiving policy
    • Remove files beyond a certain size
    • Remove files beyond a certain age
  • Automate archiving
    • Use Splunk's index aging policy to archive
  • Restore archived data
    • Restore with resurrect
    • Restore a copied index archive
  • Back up your data
    • Back up your Splunk configurations only
    • Back up your indexed data
  • Disk usage
    • Set minimum free disk space
    • Set database size
  • Use separate partitions for Splunk's datastore
    • Set up separate partitions
  • Use WORM (Write Once Read Many) volumes for Splunk's datastore
    • Configuration
• Deployment Server
  • How the deployment server works
    • Communication between deployment server and client
    • Configuration files for deployment server
  • Configure a Splunk Deployment Server
    • Configuration
    • Example
  • Configure server classes
    • Configuration
    • Example
  • Configure deployment clients
    • Enable/disable clients via the CLI
    • Enable clients via deployment.conf
    • Example
  • Sync the server and client
    • Configuration changes
• Performance Tuning
  • Performance tuning Splunk
    • Hardware considerations
    • Increase indexing performance
    • Increase search speed
    • Improve storage efficiency
    • Reduce the CPU and memory footprint
    • Utilize multiple CPUs or cores
    • 64-bit operating systems
  • Indexing performance
    • Negative impact on indexing performance
    • Processors
    • indexes.conf
    • props.conf
    • segmenters.conf
  • Search performance
    • Configure system memory access
    • Configure indexing properties
    • Configure Splunk Web settings
    • Configure indexed fields
    • Configure Splunk Web
  • Storage efficiency
    • Reduce index density
    • Tuning inputs.conf
    • Tuning props.conf
    • Tuning segmenters.conf
  • CPU and memory footprint
    • Improve CPU usage
    • Improve memory usage
  • Multi-CPU servers
    • indexes.conf
  • 64-bit operating systems
    • indexes.conf
• Configuration Files
  • How do configuration files work?
    • Configuration file directory structure
    • Configuration file precedence
  • Configure application directories
    • Make an application directory
    • Best practice
  • Configuration file list
• Applications
  • About applications
    • What are applications?
    • Where do they fit into Splunk?
    • Where can you find them?
    • How do you install them?
  • About Splunk's application manager
    • View and manage applications
    • Browse SplunkBase
  • Install Splunk applications
    • via Splunk's App Manager
    • after download from SplunkBase
    • on an isolated network or machine
• Reference
  • Pre-trained source types
    • Automatically recognized source types
    • Pre-trained source types
  • Splunk log files
    • Internal logs
    • debug
    • log.cfg
  • Work with metrics.log
    • Use metrics.log to troubleshoot issues with data inputs
  • Log file rotation
    • How log rotation works
  • Determine what files Splunk is monitoring
    • Run listtails
  • Index SNMP events with Splunk
  • log4j
  • Strip syslog headers before processing
    • Configuration
    • Example
  • Wildcards
    • Search
    • Configuration files
  • alert_actions.conf
    • alert_actions.conf.spec
    • alert_actions.conf.example
  • app.conf
    • app.conf.spec
    • app.conf.example
  • audit.conf
    • audit.conf.spec
    • audit.conf.example
  • authentication.conf
    • authentication.conf.spec
    • authentication.conf.example
  • authorize.conf
    • authorize.conf.spec
    • authorize.conf.example
  • commands.conf
    • commands.conf.spec
    • commands.conf.example
  • crawl.conf
    • crawl.conf.example
    • crawl.conf.spec
  • decorations.conf
    • decorations.conf.spec
    • decorations.conf.example
  • deployment.conf
    • deployment.conf.spec
    • deployment.conf.example
  • distsearch.conf
    • distsearch.conf.spec
    • distsearch.conf.example
  • eventdiscoverer.conf
    • eventdiscoverer.conf.spec
    • eventdiscoverer.conf.example
  • eventtypes.conf
    • eventtypes.conf.spec
    • eventtypes.conf.example
  • field_actions.conf
    • field_actions.conf.spec
    • field_actions.conf.example
  • fields.conf
    • fields.conf.spec
    • fields.conf.example
  • indexes.conf
    • indexes.conf.spec
    • indexes.conf.example
  • inputs.conf
    • inputs.conf.spec
    • inputs.conf.example
  • limits.conf
    • limits.conf.spec
    • limits.conf.example
  • literals.conf
    • literals.conf.example
  • multikv.conf
    • multikv.conf.spec
    • multikv.conf.example
  • outputs.conf
    • outputs.conf.spec
    • outputs.conf.example
  • prefs.conf
    • prefs.conf.spec
    • prefs.conf.example
  • props.conf
    • props.conf.example
    • props.conf.spec
  • props.conf (cont)
    • props.conf.spec, continued
  • regmon-filters.conf
    • regmon-filters.conf.spec
    • regmon-filters.conf.example
  • restmap.conf
    • restmap.conf.example
    • restmap.conf.spec
  • savedsearches.conf
    • savedsearches.conf.example
    • savedsearches.conf.spec
  • segmenters.conf
    • segmenters.conf.example
    • segmenters.conf.spec
  • server.conf
    • server.conf.example
    • server.conf.spec
  • source-classifier.conf
    • source-classifier.conf.example
    • source-classifier.conf.spec
  • sourcetypes.conf
    • sourcetypes.conf.example
    • sourcetypes.conf.spec
  • streams.conf
    • streams.conf.example
    • streams.conf.spec
  • strings.conf
    • strings.conf.example
    • strings.conf.spec
  • sysmon.conf
    • sysmon.conf.example
    • sysmon.conf.spec
  • tags.conf
    • tags.conf.example
    • tags.conf.spec
  • transactiontypes.conf
    • transactiontypes.conf.example
    • transactiontypes.conf.spec
  • transforms.conf
    • transforms.conf.spec
    • transforms.conf.example
  • user-seed.conf
    • user-seed.conf.example
    • user-seed.conf.spec
  • web.conf
    • web.conf.example
    • web.conf.spec
  • wmi.conf
    • wmi.conf.example
    • wmi.conf.spec
• Troubleshooting
  • Contact Support
    • diag
    • Log levels and starting in debug mode
    • Debug Splunk Web
    • Core Files
    • LDAP configurations
  • Splunkd is down
    • Splunkd may need a few more seconds to come up
    • Your license file contains line-breaks or other hidden characters
  • License issues
    • Cannot login
    • metrics.log
    • License violation warning
    • Advanced license troubleshooting
    • I installed my license in a Preview release and now it doesn't work!
  • Anonymize data samples
    • Simple method
    • Advanced method
  • Unable to get a properly formatted response from the server
  • Command line tools
    • cmd
    • btool
    • classify
    • gzdumper
    • listtails
    • locktest
    • locktool
    • parsetest
    • pcregextest
    • regextest
    • searchtest
    • signtool
    • tsidxprobe

Set up LDAP

Splunk supports authentication via its internal authentication services or your existing LDAP server.

Note: You must add a CA when connecting to AD via secure LDAP. Read the section below entitled Import your CA for more information.

Configure LDAP

Configure LDAP through Splunk Web or via authentication.conf.

Determine your User and Group Base DN

Before you map your LDAP settings in Splunk, figure out your user and groupbase DN, or distinguished name. The DN is the location in the directory where authentication information is stored. If all information is contained in each user's entry, then these DNs must be the same. If group membership information for users is kept in a separate entry, enter a separate DN identifying the subtree in the directory where the group information is stored.

Set up LDAP via Splunk Web

First, set LDAP as your authentication strategy:

1. Click the Admin link in the upper right-hand corner.

2. Click the Server tab then select Authentication Configuration.

3. Select LDAP from the Set Authentication method drop-down.

Next, fill in your LDAP settings:

4. Define an LDAP strategy name for your configuration. The name cannot be LDAP and it must not contain spaces.

5. The strategy name is added to the Set Authentication Strategy drop-down once you save your LDAP configurations.

6. Specify the Host name of your LDAP server. Be sure that your Splunk Server can resolve the host name.

7. Specify the Port that Splunk should use to connect to your LDAP server.

• By default LDAP servers listen on TCP port 389.
• LDAPS (LDAP with SSL) defaults to port 636.

8. Turn on SSL by checking SSL enabled.

• Note: You must also have SSL enabled on your LDAP server.

9. Enter the Bind DN

• This is the distinguished name to bind to the LDAP server with.
• This is typically the administrator or manager user.
• This user needs to have access to all LDAP users you wish to add to Splunk.

10. Enter and confirm the Bind DN password for the binding user.

11. Specify the User base DN.

• Splunk uses this attribute to locate user information.
• Note: You must set this attribute or your authentication will not work.

12. Specify the User base filter for the object class you want to filter your users on.

• Default value is objectclass=*, which should work for most configurations.

13. Specify the Group base DN

• Location of the user groups in LDAP.

14. Input the Group base filter.

• This attribute defines the group name.
• Default value is objectclass=*, which should work for most configurations.
• Splunk can also accept a GID as a group base filter.

15. Enter the User name attribute that defines the user name.

• Note: The username attribute cannot contain whitespace. The username is case sensitive.
• In Active Directory, this is sAMAccountName.
• The value uid should work for most configurations.

16. Specify the Real name attribute (also referred to as the common name) of the user.

• The value cn should work for most configurations.

17. Input the Group name attribute.

• Set this only if users and groups are defined in the same tree.
• This is usually cn.

18. Specify the Group member attribute.

• This is usually member or memberOf, depending on whether the memberships are listed in the group entry or the user entry.

19. Enter the Group mapping attribute.

• Specify this value only if your member entries don't contain dn strings. In most cases, however, you can leave this field blank.
• If you enter this field, the value is usually dn.

20. Enter a value for pageSize.

• This determines how many records to return at one time.
• Enter 0 to disable and revert to LDAPv2

21. Specify a Failsafe user name.

• This allows you to authenticate into Splunk in the event that your LDAP server is unreachable.
• Note: This user has admin privileges within Splunk.

22. Enter and confirm a Failsafe password for your failsafe user.

Import your CA

To configure Splunk's LDAP to work with your own CA, follow these steps:

1. Export your root CA cert in Base-64 encoded X.509 format.

2. Add these lines to $SPLUNK_HOME/etc/openldap/ldap.conf:

TLS_CACERT $SPLUNK_HOME/etc/openldap/certs/$YOUR_CERT_NAME
TLS_CACERTDIR $SPLUNK_HOME/etc/openldap/certs

4. Place the exported CA cert at $SPLUNK_HOME/etc/openldap/certs/cert1.cer.

5. Restart Splunk.

6. In Splunk Web, navigate to Admin > Server > Authentication Configuration.

• Click Save at the bottom of the page.

7. You can now map the designated AD groups to the respective roles in Splunk.

Map existing LDAP groups to Splunk roles

Once you have configured Splunk to authenticate via your LDAP server, map your existing LDAP groups to any roles you have created. If you do not use groups, you can map users individually.

Note: You can either map users or map groups but not both. If you are using groups, all the users you wish to have access to Splunk must be members of an appropriate group. Groups inherit capabilities from the highest level role they're a member of.

All users and groups are visible under the Users tab in the Splunk Web Admin section. Click the Edit link next to the appropriate user or group to define User Roles.

Test your LDAP configuration

If you find that your Splunk install is not able to successfully connect to your LDAP server, try these troubleshooting steps:

1. Remove any custom values you've added for userBaseFilter and groupBaseFilter.

2. Check $SPLUNK_HOME/var/log/splunk/splunkd.log for any authentication errors.

3. Perform an ldapsearch to test that the variables you are specifying work:

ldapsearch -h "<host>" -p "<port>" -b "<userBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>"
ldapsearch -h "<host>" -p "<port>" -b "<groupBaseDN>" -x -D "<bindDN>" -w "<bindDNpassword>"

Example

This example steps you through obtaining LDIFs and setting up authentication.conf. You can also enter these settings in Splunk Web, as described above.

Note: The particulars of your LDAP server may be different. Check your LDAP server settings and adapt authentication.conf attributes to your environment.

Get LDIFs

You should have both the user and group LDIFs to set up authentication.conf.

User LDIF

Get the user LDIF by running the following command (use your own ou and dc):

# ldapsearch -h ldaphost -p 389 -x -b "ou=People,dc=splunk,dc=com" -D "cn=Directory Manager" -w password

This returns:

# splunkadmin, People, splunk.com
dn: uid=splunkadmin,ou=People, dc=splunk,dc=com
uid: splunkadmin
givenName: Splunk
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: Admin
cn: Splunk Admin

Group LDIF

Get the group LDIF by running the following command (use your own ou and dc):

# ldapsearch -h ldaphost -p 389 -x -b "ou=groups,dc=splunk,dc=com" -D "cn=Directory Manager" -w password

This returns:

# SplunkAdmins, Groups, splunk.com
dn: cn=SplunkAdmins,ou=Groups, dc=splunk,dc=com
description: Splunk Admins
objectClass: top
objectClass: groupofuniquenames
cn: SplunkAdmins
uniqueMember: uid=splunkadmin,ou=People, dc=splunk,dc=com

configure authentication.conf

Use the following instructions to set up authentication.conf. Edit this file in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For more information on configuration files in general, see how configuration files work.

To set up LDAP via Splunk Web, see the instructions above.

set authentication type

By default, Splunk uses its own authentication type. Change that in the [authentication] stanza.

[authentication]
authType = LDAP
authSettings = ldaphost

• Turn on LDAP by setting authType = LDAP.

• Map authSettings to your LDAP configuration stanza (below).

map to LDAP server entries

Now, map your LDIFs to the attribute/values in authentication.conf.

[ldaphost]
host = ldaphost.domain.com
pageSize = 0
port = 389
SSLEnabled = 0

failsafeLogin = failsafe
failsafePassword = fail

bindDN = cn=Directory Manager
bindDNpassword = password

groupBaseDN = ou=Groups,dc=splunk,dc=com;
groupBaseFilter = (objectclass=*)
groupMappingAttribute = dn
groupMemberAttribute = uniqueMember
groupNameAttribute = cn

realNameAttribute = givenName
userBaseDN = ou=People,dc=splunk,dc=com;
userBaseFilter = (objectclass=*)
userNameAttribute = uid

map roles

You can also set a stanza to map roles you have created in authorize.conf to users you have enabled in authentication.conf.

[roleMap]
Admin = SplunkAdmins;

Convert saved searches to LDAP

If you have already configured saved searches and want to convert them to work with your new LDAP configuration, follow these steps:

1. Identify the user IDs at the Splunk CLI by typing:

./splunk list user

3. To test that this works, create one saved search as an LDAP user so you can verify that you have the format of the LDAP userid, and
then making the changes to the existing saved searches.

4. Once you finish modifying savedsearches.conf, you must restart Splunk.

Known issues with LDAP

When configuring Splunk to work with your LDAP instance, note the following:

• Will not work if LDAP server has no groups.
• Entries in Splunk Web and authentication.conf are case sensitive.
• Splunk currently supports LDAP v2 and v3; v3 allows for paging and is the default protocol used.
• Splunk does not support scrolling. LDAP servers that use scrolling, such as SUN/iPlanet Directory Server (versions 5.x and 6.x), should disable paging by setting pageSize to 0.
• Splunk only works with one LDAP server at a time.
• Splunk does not support (end user) anonymous bind. You may wish to create a user with minimal privileges for this purpose.
• Splunk Web can display a maximum of 499 LDAP groups.
  • To view and configure more than 499 groups manually configure them by editing authentication.conf.
  • If you want a group that did not make the cut for UI rendering, add the dn to the appropriate role in authentication.conf:
    • user = cn=splunk,ou=splunkgroups,ou=groups,o=company
• LDAP referrals is currently not supported.
• The LDAP strategy name can not be [LDAP].
• You must restart to be able to log in after switching from LDAP back to Splunk's auth.
• For situations where users and groups reside in the same base, the value of userBaseDN can't be the same as groupBaseDN. Workaround is to remove one level from the groupBaseDN (or vice versa). Example: if the userBaseDN = cn=Users,dc=domain,dc=com, set groupBaseDN = dc=domain,dc=com.