Splunk Enterprise Security Certified Analyst — Question 84

A working search head cluster has been set up and used for 6 months with just the native/local Splunk user authentication method. In order to integrate the search heads with an external Active Directory server using LDAP, which of the following statements represents the most appropriate method to deploy the configuration to the servers?

Answer options

• A. Configure the integration in a base configuration app located in shcluster-apps directory on the search head deployer, then deploy the configuration to the search heads using the splunk apply shcluster-bundle command.
• B. Log onto each search using a command line utility. Modify the authentication.conf and authorize.conf files in a base configuration app to configure the integration.
• C. Configure the LDAP integration on one Search Head using the Settings > Access Controls > Authentication Method and Settings > Access Controls > Roles Splunk UI menus. The configuration setting will replicate to the other nodes in the search head cluster eliminating the need to do this on the other search heads.
• D. On each search head, login and configure the LDAP integration using the Settings > Access Controls > Authentication Method and Settings > Access Controls > Roles Splunk UI menus.

Correct answer: A

Explanation

The correct answer is A because it utilizes the search head deployer to push configurations to all search heads, ensuring consistency across the cluster. Option B is incorrect as manually modifying files on each search head is inefficient and does not leverage the cluster's capabilities. Option C is wrong because while it suggests a replication feature, it requires manual setup on one head only and may not be the most efficient method. Option D is also incorrect due to being a manual process on each search head, which does not scale well.