Which of the following is true regarding LDAP integration with Splunk Enterprise?

In Splunk Enterprise, when integrating with an LDAP (Lightweight Directory Access Protocol) directory for authentication, user access is governed by the mapping between LDAP groups and Splunk roles. A user authenticated via LDAP must belong to at least one LDAP group that is mapped to a Splunk role. Without this mapping, the user can authenticate successfully against LDAP but will not be granted any role privileges inside Splunk, and therefore cannot log in to the Splunk web interface.

Splunk documentation explicitly states:

“When you integrate Splunk Enterprise with LDAP, a user must be assigned at least one Splunk role through an LDAP group mapping. If the user does not belong to a mapped group, they cannot log into Splunk.”

This ensures that user permissions are inherited from LDAP-to-role mappings and provides centralized management of authentication and authorization.

Reference (Splunk Documentation):

Splunk® Enterprise Admin Manual → Securing Splunk Enterprise → Authenticate users with LDAP

authentication.conf.spec and example → LDAP configuration and role mapping

Splunk Docs: “Configure LDAP authentication”