Release Notes
This topic contains information on new features, known issues, and updates as we version the Splunk Supporting Add-on for Active Directory.
Version 2.1.0 of the Splunk Supporting Add-on for Active Directory was released on Tuesday, April 14, 2015.
What's new
Here's what's new in the latest version of the Splunk Supporting Add-on for Active Directory:
- Bug fixes.
- You can now configure the add-on to use Secure Sockets Layer (SSL) to connect to LDAP instances. (TAG-8941)
- You now have the ability to use clear-text passwords if you cannot add the
admin_all_objects
capability to the user that accesses the add-on. To do this, you must edit configuration files manually, and you cannot use the configuration page to make changes to domains with cleartext passwords later. Splunk does not recommend the use of cleartext passwords. - The add-on now has improved error messaging. See individual items in the change log for details.
- The add-on now requires you to provide the
alternatedomain
andbasedn
settings inldap.conf
. When using the configuration page in Splunk Web, you must fill these fields in before attempting to test the connection. (TAG-8930)
Current known issues
The Splunk Add-on for Windows has the following known issues:
- When you enable single sign-on (SSO) in Splunk Enterprise, the configuration page does not work as expected. (TAG-9124)
- Make sure that you use the latest version of Splunk Enterprise to avoid being affected by the SSLv3 POODLE vulnerability. See "Splunk response to SSLv3 'POODLE' vulnerability."
Change log (what's been fixed)
- Support for anonymous binding has been restored. To use it, you must enable anonymous binding in Active Directory and give the Anonymous Logon account read access to the Active Directory schema. (TAG-9275)
- The
ldapgroup
command now properly escapes group distinguished names (DNs) in queries. (TAG-9263) - The
ldapgroup
command now has better handling of LDAP communication errors. (TAG-9237) - The
ldapsearch
command now returns fields for results when the first result does not have the desired field. (TAG-9234) - The add-on no longer attempts to verify SSL certificates by default when you make an SSL connection to Active Directory, except in cases where you install certificates that have been properly signed by an external root certificate authority and you enable SSL certificate validation with the
sslVerifyServerCert
attribute inssl.conf
. (TAG-9214, see also TAG-8941) - Conversely, when you install SSL certificates that have been properly signed by an external root certificate authority and you enable SSL certificate validation with the
sslVerifyServerCert
attribute inssl.conf
, the add-on now verifies those certificates by default when you make a connection to Active Directory over SSL. (TAG-8941, see also TAG-9214) - The
ldapgroup
command now returns no results when you specify an invalid group distinguished name, instead of returning a cryptic error message. (TAG-9189, TAG-9190) - The
ldapfetch
command now returns all rows for a query, rather than just the first. (TAG-9165) - Several commands now no longer exit abnormally when they encounter a missing or invalid domain configuration. (TAG-9162, TAG-9164)
- The
ldapfilter
command now displays a clearer error message when invalid parameters (such as no search value) have been supplied to it. (TAG-9155) - The
ldapsearch
command now displays a clearer error message whenldap.conf
does not contain required attributes such asbinddn
. (TAG-9150) - A problem where the add-on configuration page displayed empty fields on an instance without stored credentials and a plain-text password in
ldap.conf
was fixed. (TAG-9149) - The
ldapsearch
command now displays a clearer error message whenldap.conf
contains an invalid value forbasedn
. (TAG-9145) - The add-on now assumes that it should connect to the LDAP server using TCP port 389 and not use SSL when the
port
setting is present, but has not been defined, in a stanza inldap.conf
. (TAG-9142, TAG-9144) - The add-on no longer displays a confusing error message if the
port
attribute is present, but has not been defined, in a stanza inldap.conf
. (TAG-9142, TAG-9143) - The
ldapsearch
command now displays a clearer error message when it cannot connect to an Active Directory server. (TAG-9141) - The
ldapgroup
command now properly handles circular nested groups in Active Directory (where two or more groups are members of each other.) (TAG-9130) - Several commands now print a more meaningful error message when the default domain in
ldap.conf
has not been configured correctly. (TAG-9118) - When you specify a cleartext password in
ldap.conf
, the add-on configuration page now displays a bulleted representation of that password in the "Password" field, instead of displaying nothing. (TAG-9107) - The
ldapfilter
command no longer fails with asocket closing
error when you enable SSL and supply attributes that it does not recognize. (TAG-9103) - The
ldapsearch
command now returns adn
field in all its responses, regardless of the attributes you specify as arguments. (TAG-9100) - Several commands now print a more meaningful error message when they are unable to authenticate to an LDAP server. (TAG-9057)
- The add-on now registers itself as configured when you configure it. (TAG-9035)
- The add-on now has improved log file handling, including the ability to retain up to 10 backup log files. (TAG-8969)
- The
ldapgroup
command now produces multi-valuemember
fields. (TAG-8954) - The
ldapsearch
command now prints a friendlier error message whenldap.conf
has a bad configuration. (TAG-8930) - The add-on no longer displays a "string indices must be integers, not unicode" message if the
password
attribute is present, but has not been defined, in a stanza inldap.conf
. (TAG-8883)
PREVIOUS Data and source types for the Splunk Supporting Add-on for Active Directory |
NEXT Workaround for default configuration stanza errors in distributed environments |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.0
Feedback submitted, thanks!