Troubleshoot the Splunk Supporting Add-on for Active Directory
When an app that uses the Splunk Supporting Add-on for Active Directory cannot complete a search, it notifies you by displaying an error message in the Splunk status bar (at the top of your browser window), as follows:
External search command 'ldapsearch' returned error code 1. ERROR "LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580"
It also writes a message to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log
, similar to the following:
2014-10-10 13:45:31,052, Level=ERROR, Pid=3950, File=search_command.py, Line=278, Abnormal exit: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@ - bindResponse - None
If you see an error message similar to this when performing a search, use the following table to decode the data
value and figure out how to resolve the error.
Data value | What it means | What you should do |
---|---|---|
255 | Either the domain was not found or there was a syntax error in the search command. | Confirm that the domain that you want to monitor exists and is configured properly, or that your search string is properly formatted and syntactically correct. |
525 | The username provided in ldap.conf is not valid.
|
Edit ldap.conf and provide the correct user, then restart your central Splunk instance.
|
52E | The password provided in ldap.conf is not valid.
|
Edit ldap.conf and provide the correct password, then restart your central Splunk instance.
|
530 | The user account provided is not allowed to log into Active Directory at this time. | Remove the user's log on time restrictions from within Active Directory, then try again. |
531 | The user account provided is not allowed to log into Active Directory from the current server. | Modify the local security policy of the server from which the specified user is trying to log in to Active Directory, then try again. |
532 | The user account provided has an expired password. | Change the user's password or set the "Password never expires" bit from within Active Directory, then try again. |
533 | The user account provided is disabled. | Re-enable the user account from within Active Directory, then try again. |
701 | The user account provided has expired. | Re-enable the user account from within Active Directory, then try again. |
773 | The user account provided has the "User must reset password at next logon" bit set. | Un-set the "User must reset password at next logon" bit for the user account from within Active Directory, then try again. |
775 | The user account provided is locked because an incorrect password has been entered too many times. | Re-enable the user account from within Active Directory and change the password to a known good one, then try again. |
LDAP commands exit with 'undefined domain' error
If you configure or reference an invalid domain in ldap.conf
, the ldapfilter
, ldapfetch
, and ldapgroup
commands in a subsequent search exit immediately with an error similar to the following:
External search command 'ldapfilter' returned error code 1. Script output = " ERROR Undefined domain name: <domain>. "
The commands immediately stop execution at that point and do not search further, even if the query source has additional entries with valid domains.
To fix the problem, confirm that you have defined all domains that the add-on must connect to in ldap.conf
.
LDAP commands exit with 'No key or prefix' error
If you do not configure the default
domain in ldap.conf
the ldapfilter
, ldapfetch
, and ldapgroup
commands in a subsequent search exit immediately with an error similar to the following:
External search command 'ldapgroup' returned error code 1. Script output = " ERROR "KeyError at ""/Applications/Splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/data.py"", line 245 : u'No key or prefix: $text.'" "
To prevent this error, confirm that you have configured the default domain in the add-on configuration page.
PREVIOUS The ldapgroup command |
NEXT Data and source types for the Splunk Supporting Add-on for Active Directory |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 1.1.13, 2.0.0, 2.0.1
Feedback submitted, thanks!