Migrate Splunk users from LDAP to SSO

migrate-to-sso.sh

#!/bin/bash

splunk_home=/opt/splunk/etc
my_users=$splunk_home/apps/my_domain/lookups/my_users.csv
users=$splunk_home/users
authfile=$splunk_home/new-auths.txt

# Clear the auth file
: > $authfile

csvcut -c sAMAccountName,userPrincipalName $my_users | while IFS=,  read username mail
do
	# lowercase the username
	sAMAccountName=${username,,}
	# check if user exists
	if [[ -d "$users/$sAMAccountName" && $mail != *".local" ]] ; then
		# move $sAMAccountName to $mail
		echo Moving $users/$sAMAccountName to $users/$mail
		mv $users/$sAMAccountName $users/$mail
		# Check if the user exists in any meta files
		for meta in $(grep -rl $sAMAccountName $splunk_home | egrep '\.meta$') ; do 
			echo "In $meta, changing owner from $sAMAccountName to $mail"
			sed -i "s/$sAMAccountName/$mail/g" $meta
			echo "$mail = user" >> $authfile
		done
	fi
done

cat $authfile | uniq > "uniq-$authfile"

@Hodgegoblin Thanks alot for sharing the details of your implementation. Glad to know it went smooth.

Few more questions

1. Did you add the list of users which were identified by the script line number 29 to the authentication.conf, if yes did you just add the "user" role to the user or you assigned all the expected roles.
   example
   micheal has access to all the 3 roles -->role1,role2,rol23

a) [email protected]=user
OR
b) [email protected]=role1,role2,role3.

2. After the script is run, did you restart the splunk instances?

Reason i ask, right now we integrated one dev instance (which was not connected to LDAP) to SAML, there is one native user who has couple of private objects and app level shared objects. I ran the script for this user and now all the artifacts for this user uses his email addresses (private objects and app level shared objects i.e in local.meta). User is yet to login , however i still see in splunk all the artifacts are still showing old native user as owner. I will have user log in tomorrow needs to see how it behaves.

did a debug/refresh, this took care of #2 point which i asked.

@sanatani806

1. We did not add the users to authentication.conf. This could have caused the issue with the orphaned knowledge object for us, but after a user logs in they're mapped to the roles in there. We mapped groups to our Splunk roles and then the users get mapped to the correct roles based on group membership.

2. We did restart the Splunk instances after running the script.

@Hodgegoblin @oxo42 @sanatani806 Thanks for the script and discussion above. I am doing LDAP to SAML migration and was testing this script on our dev server but when I have executed the script and tried to restart Splunk service got below in splunkd.log and then Splunk service does not start. have executed the script when splunk was in running sate. did you come across this similar issue?

INFO ConfigWatcher [83579 SplunkConfigChangeWatcherThread] - File deleted while splunkd was not running path=/opt/splunk/etc/users/[email protected]\r/corp_digital_TA_css/local/ui-prefs.conf DELETED

also directories moved from user1 to [email protected] created like below with "?" at the end. I have checked the csv lookup and I dont see any extra character in email field .

drwx------. 14 splunk splunk 278 Nov 29 13:46 [email protected]?
drwx------. 5 splunk splunk 78 Nov 29 13:46 [email protected]?
drwx------. 9 splunk splunk 166 Nov 29 13:46 [email protected]?

@Hodgegoblin @sanatani806 @oxo42 is anyone of you actively checking this post

I am getting below error and not sure exactly how i can get rid of it. only thing for now i am doing is instead of doing mv and using cp to copy users directories.

INFO ConfigWatcher [83579 SplunkConfigChangeWatcherThread] - File deleted while splunkd was not running path=/opt/splunk/etc/users/[email protected]\r/corp_digital_TA_css/local/ui-prefs.conf DELETED