Release Notes

This topic contains information on new features, known issues, and updates as we version the Splunk Supporting Add-on for Active Directory.

Version 2.1.0 of the Splunk Supporting Add-on for Active Directory was released on Tuesday, April 14, 2015.

What's new

Here's what's new in the latest version of the Splunk Supporting Add-on for Active Directory:

• Bug fixes.
• You can now configure the add-on to use Secure Sockets Layer (SSL) to connect to LDAP instances. (TAG-8941)
• You now have the ability to use clear-text passwords if you cannot add the admin_all_objects capability to the user that accesses the add-on. To do this, you must edit configuration files manually, and you cannot use the configuration page to make changes to domains with cleartext passwords later. Splunk does not recommend the use of cleartext passwords.
• The add-on now has improved error messaging. See individual items in the change log for details.
• The add-on now requires you to provide the alternatedomain and basedn settings in ldap.conf. When using the configuration page in Splunk Web, you must fill these fields in before attempting to test the connection. (TAG-8930)

Current known issues

The Splunk Add-on for Windows has the following known issues:

• When you enable single sign-on (SSO) in Splunk Enterprise, the configuration page does not work as expected. (TAG-9124)
• Make sure that you use the latest version of Splunk Enterprise to avoid being affected by the SSLv3 POODLE vulnerability. See "Splunk response to SSLv3 'POODLE' vulnerability."

Change log (what's been fixed)

• Support for anonymous binding has been restored. To use it, you must enable anonymous binding in Active Directory and give the Anonymous Logon account read access to the Active Directory schema. (TAG-9275)
• The ldapgroup command now properly escapes group distinguished names (DNs) in queries. (TAG-9263)
• The ldapgroup command now has better handling of LDAP communication errors. (TAG-9237)
• The ldapsearch command now returns fields for results when the first result does not have the desired field. (TAG-9234)
• The add-on no longer attempts to verify SSL certificates by default when you make an SSL connection to Active Directory, except in cases where you install certificates that have been properly signed by an external root certificate authority and you enable SSL certificate validation with the sslVerifyServerCert attribute in ssl.conf. (TAG-9214, see also TAG-8941)
• Conversely, when you install SSL certificates that have been properly signed by an external root certificate authority and you enable SSL certificate validation with the sslVerifyServerCert attribute in ssl.conf, the add-on now verifies those certificates by default when you make a connection to Active Directory over SSL. (TAG-8941, see also TAG-9214)
• The ldapgroup command now returns no results when you specify an invalid group distinguished name, instead of returning a cryptic error message. (TAG-9189, TAG-9190)
• The ldapfetch command now returns all rows for a query, rather than just the first. (TAG-9165)
• Several commands now no longer exit abnormally when they encounter a missing or invalid domain configuration. (TAG-9162, TAG-9164)
• The ldapfilter command now displays a clearer error message when invalid parameters (such as no search value) have been supplied to it. (TAG-9155)
• The ldapsearch command now displays a clearer error message when ldap.conf does not contain required attributes such as binddn. (TAG-9150)
• A problem where the add-on configuration page displayed empty fields on an instance without stored credentials and a plain-text password in ldap.conf was fixed. (TAG-9149)
• The ldapsearch command now displays a clearer error message when ldap.conf contains an invalid value for basedn. (TAG-9145)
• The add-on now assumes that it should connect to the LDAP server using TCP port 389 and not use SSL when the port setting is present, but has not been defined, in a stanza in ldap.conf. (TAG-9142, TAG-9144)
• The add-on no longer displays a confusing error message if the port attribute is present, but has not been defined, in a stanza in ldap.conf. (TAG-9142, TAG-9143)
• The ldapsearch command now displays a clearer error message when it cannot connect to an Active Directory server. (TAG-9141)
• The ldapgroup command now properly handles circular nested groups in Active Directory (where two or more groups are members of each other.) (TAG-9130)
• Several commands now print a more meaningful error message when the default domain in ldap.conf has not been configured correctly. (TAG-9118)
• When you specify a cleartext password in ldap.conf, the add-on configuration page now displays a bulleted representation of that password in the "Password" field, instead of displaying nothing. (TAG-9107)
• The ldapfilter command no longer fails with a socket closing error when you enable SSL and supply attributes that it does not recognize. (TAG-9103)
• The ldapsearch command now returns a dn field in all its responses, regardless of the attributes you specify as arguments. (TAG-9100)
• Several commands now print a more meaningful error message when they are unable to authenticate to an LDAP server. (TAG-9057)
• The add-on now registers itself as configured when you configure it. (TAG-9035)
• The add-on now has improved log file handling, including the ability to retain up to 10 backup log files. (TAG-8969)
• The ldapgroup command now produces multi-value member fields. (TAG-8954)
• The ldapsearch command now prints a friendlier error message when ldap.conf has a bad configuration. (TAG-8930)
• The add-on no longer displays a "string indices must be integers, not unicode" message if the password attribute is present, but has not been defined, in a stanza in ldap.conf. (TAG-8883)