By default, Splunk authenticates using its own authentication system, which simply stores users and roles in flat files. The other two options available are LDAP and scripted authentication.
To enable LDAP authentication, perform the following steps:
- Navigate to Settings | Access controls | Authentication method
- Check the LDAP checkbox
- Click on Configure Splunk to use LDAP and map groups
- Click on New
You will then need the appropriate values to set up access to your LDAP server.
Every organization sets up LDAP slightly differently, so I have never managed to configure this properly the first time. Your best bet is to copy the values from another application that is already configured in your organization.
Once LDAP is configured properly, you can map Splunk roles to the LDAP groups through the admin interface. Whether to use an existing group or create Splunk-specific groups is of course up to your organization, but most companies I have worked with opted to create a specific group for each Splunk role. The common groups are often along the lines of: splunkuser, splunkpoweruser, splunksecurity, and splunkadmin. Rights are additive, so a user can be a member of as many groups as is appropriate.
New in Splunk 4.3 are the ability to use multiple LDAP servers at once, support for dynamic groups, support for nested groups, and more. The official documentation can be found at the following URL:
https://docs.splunk.com/Documentation/Splunk/latest/Security/SetUpUserAuthenticationWithLDAP