Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Workaround for default configuration stanza errors in distributed environments

Introduction

This page discusses how to work around a problem where Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) returns an error message about a missing configuration stanza when it runs in a distributed Splunk Enterprise or Splunk Cloud environment.

In a standard Splunk Enterprise environment, SA-LDAPsearch connects to Active Directory and retrieves user records on a search head. In a distributed environment or a Splunk Cloud deployment, the add-on can be configured to distribute search commands across search peers that the search head manages.

Because SA-LDAPsearch must have direct access to the Active Directory domain controllers, any distribution of the add-on requires the hosts where you distribute the app also to have access to Active Directory. As well, the add-on must have the exact same configuration on the search peers that it has on the search head.

Symptoms

When you run queries with SA-LDAPsearch in a distributed Splunk Enterprise or Splunk Cloud environment, you receive the following error message: 

External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.

You check ldap.conf on the search head, and the [default] stanza is present.

Cause

The cause of this problem is a bug in how SA-LDAPsearch handles distributed LDAP search queries.

Workaround

There are two ways to work around this problem:

Install SA-LDAPsearch on the search head and all search peers

This option has you configure SA-LDAPsearch on the search head and any search peers. It ensures that the configuration is the same across all of the peers.

1. Install SA-LDAPsearch using Splunk Web.

2. Configure the add-on with Splunk Web by adding a domain to the SA-LDAPsearch configuration.

3. Click the Test connection button in the configuration page to confirm that the add-on can connect to the Active Directory domain you specified.

4. Once the test succeeds, click Save to save the configuration.

5. Repeat this process for all search peers in the deployment.

Modify SA-LDAPsearch to make only local queries

This option has you modify the SA-ldapsearch add-on directly to use only local queries. When you complete the modification, the add-on performs all queries from the search head, and does not attempt to distribute the queries on any search peers.

Caution: The following steps require that you make changes directly to the add-on. If you do not make the changes correctly, you might render the add-on unstable or unusable. Restricting LDAP queries to the search head only can result in degraded search performance. Upgrading the Splunk Supporting Add-on for Active Directory might reverse these changes. If you are either unsure or uncomfortable about making the changes, contact your Splunk support representative for assistance.

Modify SA-LDAPsearch on Splunk Enterprise version 6.2 and earlier

1. With a text editor, open the file $SPLUNK_HOME\etc\apps\SA-ldapsearch\default\commands.conf for editing.

2. In each stanza within this file, add the following entry: 

local = true

3. Save the file and close it.

4. Run a search with the add-on. You should no longer receive the error message.

Modify SA-LDAPsearch on Splunk Enterprise version 6.3 or Splunk Cloud

1. With a text editor, open the file $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfilter.py for editing.

2. Within the file, look for one of the following lines:

Example 1: 

@Configuration()

Example 2: 

@Configuration(retainsevents=True)

3. Change the line so that it looks exactly like one of the following:

If you encountered Example 1: 

@Configuration(local=True)

If you encountered Example 2: 

@Configuration(retainsevents=True, local=True)

Note: Python is case sensitive and formatting is important. This means that the formatting must be exactly as shown here, and the T in True must be capitalized.

4. Save the file and close it.

5. Repeat this procedure for the following files:

  • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapgroup.py
  • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapsearch.py
  • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfetch.py
  • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldaptestconnection.py

6. Run a search with the add-on. You should no longer receive the error message.

Last modified on 16 December, 2015
PREVIOUS
Release Notes 		  NEXT
Third-party software attributions/credits

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.0, 2.1.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters