Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Troubleshoot the Splunk Supporting Add-on for Active Directory

When an app that uses the Splunk Supporting Add-on for Active Directory cannot complete a search, it notifies you by displaying an error message in the Splunk status bar (at the top of your browser window), as follows: 

External search command 'ldapsearch' returned error code 1.
ERROR "LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: 
LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580"

It also writes a message to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log, similar to the following:

2014-10-10 13:45:31,052, Level=ERROR, Pid=3950, File=search_command.py, Line=278, Abnormal exit: LDAPInvalidCredentialsResult - 49 - invalidCredentials - None - 80090308: LdapErr: DSID-0C0903C8, comment: AcceptSecurityContext error, data 52e, v2580^@ - bindResponse - None

If you see an error message similar to this when performing a search, use the following table to decode the data value and figure out how to resolve the error.

Data value What it means What you should do
255 Either the domain was not found or there was a syntax error in the search command. Confirm that the domain that you want to monitor exists and is configured properly, or that your search string is properly formatted and syntactically correct.
525 The username provided in ldap.conf is not valid. Edit ldap.conf and provide the correct user, then restart your central Splunk instance.
52E The password provided in ldap.conf is not valid. Edit ldap.conf and provide the correct password, then restart your central Splunk instance.
530 The user account provided is not allowed to log into Active Directory at this time. Remove the user's log on time restrictions from within Active Directory, then try again.
531 The user account provided is not allowed to log into Active Directory from the current server. Modify the local security policy of the server from which the specified user is trying to log in to Active Directory, then try again.
532 The user account provided has an expired password. Change the user's password or set the "Password never expires" bit from within Active Directory, then try again.
533 The user account provided is disabled. Re-enable the user account from within Active Directory, then try again.
701 The user account provided has expired. Re-enable the user account from within Active Directory, then try again.
773 The user account provided has the "User must reset password at next logon" bit set. Un-set the "User must reset password at next logon" bit for the user account from within Active Directory, then try again.
775 The user account provided is locked because an incorrect password has been entered too many times. Re-enable the user account from within Active Directory and change the password to a known good one, then try again.

LDAP commands exit with 'undefined domain' error

If you configure or reference an invalid domain in ldap.conf, the ldapfilter, ldapfetch, and ldapgroup commands in a subsequent search exit immediately with an error similar to the following: 

External search command 'ldapfilter' returned error code 1. Script output = 
" ERROR Undefined domain name: <domain>. "

The commands immediately stop execution at that point and do not search further, even if the query source has additional entries with valid domains.

To fix the problem, confirm that you have defined all domains that the add-on must connect to in ldap.conf.

LDAP commands exit with 'No key or prefix' error

If you do not configure the default domain in ldap.conf the ldapfilter, ldapfetch, and ldapgroup commands in a subsequent search exit immediately with an error similar to the following: 

 External search command 'ldapgroup' returned error code 1. Script output = 
" ERROR "KeyError at ""/Applications/Splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/data.py"", 
line 245 : u'No key or prefix: $text.'" "

To prevent this error, confirm that you have configured the default domain in the add-on configuration page.

Last modified on 15 June, 2015
PREVIOUS
The ldapgroup command 		  NEXT
Data and source types for the Splunk Supporting Add-on for Active Directory

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 1.1.13, 2.0.0, 2.0.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters