Workaround for default configuration stanza errors in distributed environments
This page discusses how to work around a problem where Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) returns an error message about a missing configuration stanza when it runs in a distributed Splunk Enterprise or Splunk Cloud environment.
In a standard Splunk Enterprise environment, SA-LDAPsearch connects to Active Directory and retrieves user records on a search head. In a distributed environment or a Splunk Cloud deployment, the add-on can be configured to distribute search commands across search peers that the search head manages.
Because SA-LDAPsearch must have direct access to the Active Directory domain controllers, any distribution of the add-on requires the hosts where you distribute the app also to have access to Active Directory. As well, the add-on must have the exact same configuration on the search peers that it has on the search head.
When you run queries with SA-LDAPsearch in a distributed Splunk Enterprise or Splunk Cloud environment, you receive the following error message:
External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.
You might also receive a message like:
The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch
ldap.conf on the search head, and the
[default] stanza is present.
The cause of this problem is a bug in how SA-LDAPsearch handles distributed LDAP search queries.
There are two ways to work around this problem:
Install SA-LDAPsearch on the search head and all search peers
This option has you configure SA-LDAPsearch on the search head and any search peers. It ensures that the configuration is the same across all of the peers.
- Install SA-LDAPsearch using Splunk Web.
- Configure the add-on with Splunk Web by adding a domain to the SA-LDAPsearch configuration.
- Click the Test connection button in the configuration page to confirm that the add-on can connect to the Active Directory domain you specified.
- Once the test succeeds, click Save to save the configuration.
- Repeat this process for all search peers in the deployment.
Modify SA-LDAPsearch to make only local queries
SA-ldapsearch add-on directly to use only local queries. When you complete the modification, the add-on performs all queries from the search head, and does not attempt to distribute the queries on any search peers. Use this option if you do not want to install the add-on into the search peers.
Caution: The following steps require that you make changes directly to the add-on. If you do not make the changes correctly, you might render the add-on unstable or unusable. Restricting LDAP queries to the search head only can result in degraded search performance. Upgrading the Splunk Supporting Add-on for Active Directory might reverse these changes. If you are either unsure or uncomfortable about making the changes, contact your Splunk support representative for assistance.
- Use your operating system file management tools to create
$SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf. The easiest way is to copy only the stanzas of
$SPLUNK_HOME\etc\apps\SA-Ldapsearch\default\commands.confthat are needed for your Splunk platform deployment and add them to your
- Use a text editor to open
- In each stanza within this file, change the following entry:
local = false
local = true
- Save the file and close it.
- Restart Splunk Enterprise on the instance.
- Run a search with the add-on. You should no longer receive the error message.
Release Notes for Splunk Supporting Add-on for Active Directory
Third-party software attributions/credits
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7