Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Download manual as PDF

Download topic as PDF

Workaround for default configuration stanza errors in distributed environments

Introduction

This page discusses how to work around a problem where Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) returns an error message about a missing configuration stanza when it runs in a distributed Splunk Enterprise or Splunk Cloud environment.

In a standard Splunk Enterprise environment, SA-LDAPsearch connects to Active Directory and retrieves user records on a search head. In a distributed environment or a Splunk Cloud deployment, the add-on can be configured to distribute search commands across search peers that the search head manages.

Because SA-LDAPsearch must have direct access to the Active Directory domain controllers, any distribution of the add-on requires the hosts where you distribute the app also to have access to Active Directory. As well, the add-on must have the exact same configuration on the search peers that it has on the search head.

Symptoms

When you run queries with SA-LDAPsearch in a distributed Splunk Enterprise or Splunk Cloud environment, you receive the following error message:

External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.

You might also receive a message like:

The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch

You check ldap.conf on the search head, and the [default] stanza is present.

Cause

The cause of this problem is a bug in how SA-LDAPsearch handles distributed LDAP search queries.

Workaround

There are two ways to work around this problem:

Install SA-LDAPsearch on the search head and all search peers

This option has you configure SA-LDAPsearch on the search head and any search peers. It ensures that the configuration is the same across all of the peers.

  1. Install SA-LDAPsearch using Splunk Web.
  2. Configure the add-on with Splunk Web by adding a domain to the SA-LDAPsearch configuration.
  3. Click the Test connection button in the configuration page to confirm that the add-on can connect to the Active Directory domain you specified.
  4. Once the test succeeds, click Save to save the configuration.
  5. Repeat this process for all search peers in the deployment.

Modify SA-LDAPsearch to make only local queries

Modify the SA-ldapsearch add-on directly to use only local queries. When you complete the modification, the add-on performs all queries from the search head, and does not attempt to distribute the queries on any search peers. Use this option if you do not want to install the add-on into the search peers.

Caution: The following steps require that you make changes directly to the add-on. If you do not make the changes correctly, you might render the add-on unstable or unusable. Restricting LDAP queries to the search head only can result in degraded search performance. Upgrading the Splunk Supporting Add-on for Active Directory might reverse these changes. If you are either unsure or uncomfortable about making the changes, contact your Splunk support representative for assistance.

  1. Use your operating system file management tools to create $SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf. The easiest way is to copy only the stanzas of $SPLUNK_HOME\etc\apps\SA-Ldapsearch\default\commands.conf that are needed for your Splunk platform deployment and add them to your \local\commands.conf file.
  2. Use a text editor to open $SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf for editing.
  3. In each stanza within this file, change the following entry:
    local = false
    

    to

    local = true
    
  4. Save the file and close it.
  5. Restart Splunk Enterprise on the instance.
  6. Run a search with the add-on. You should no longer receive the error message.
PREVIOUS
Release Notes for Splunk Supporting Add-on for Active Directory
  NEXT
Third-party software attributions/credits

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8


Comments

Hi Lohitkidu,

Yes, that's by design. You need to be an admin or have that role assigned to you to make these kinds of changes.

Malmoore, Splunker
February 18, 2016

Saving the config from APP configuration page would create problems for non-admin users.

Lohitkidu
February 16, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters