Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Workaround for default configuration stanza errors in distributed environments

Troubleshoot the Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) when the add-on returns an error message about a missing configuration stanza when it runs in a distributed Splunk Enterprise or Splunk Cloud environment.

In a standard Splunk Enterprise environment, SA-LDAPsearch connects to Active Directory and retrieves user records on a search head. In a distributed environment or a Splunk Cloud deployment, the add-on can be configured to distribute search commands across search peers that the search head manages.

Because SA-LDAPsearch must have direct access to the Active Directory domain controllers, any distribution of the add-on requires the hosts where you distribute the app also to have access to Active Directory. As well, the add-on must have the exact same configuration on the search peers that it has on the search head.

Problem

When you run queries with SA-LDAPsearch in a distributed Splunk Enterprise or Splunk Cloud environment, you receive the following error message:

External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.

You might also receive a message like:

The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch

You check ldap.conf on the search head, and the [default] stanza is present.

Cause

The problem is caused by how SA-LDAPsearch handles distributed LDAP search queries.

Workaround

Try the following troubleshooting steps to work around this problem.

For a distributed environment: Install SA-LDAPsearch on the search head and all search peers

You can configure SA-LDAPsearch on the search head and any search peers. It ensures that the configuration is the same across all of the peers.

This workaround is only applicable for a distributed environment.

  1. Install SA-LDAPsearch using Splunk Web.
  2. Configure the add-on with Splunk Web by adding a domain to the SA-LDAPsearch configuration.
  3. Click the Test connection button in the configuration page to confirm that the add-on can connect to the Active Directory domain you specified.
  4. Once the test succeeds, click Save to save the configuration.
  5. Repeat this process for all search peers in the deployment.

Modify SA-LDAPsearch to make only local queries

You can also modify the SA-ldapsearch add-on directly to use only local queries. When you complete the modification, the add-on performs all queries from the search head, and does not attempt to distribute the queries on any search peers. Use this option if you do not want to install the add-on into the search peers.

Caution: The following steps require that you make changes directly to the add-on. If you do not make the changes correctly, you might render the add-on unstable or unusable. Restricting LDAP queries to the search head only can result in degraded search performance. Upgrading the Splunk Supporting Add-on for Active Directory might reverse these changes. If you are either unsure or uncomfortable about making the changes, contact your Splunk support representative for assistance.

  1. Use your operating system file management tools to create $SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf. The easiest way is to copy only the stanzas of $SPLUNK_HOME\etc\apps\SA-Ldapsearch\default\commands.conf that are needed for your Splunk platform deployment and add them to your \local\commands.conf file.
  2. Use a text editor to open $SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf for editing.
  3. In each stanza within this file, change the following entry:
  4. local = false
    

    to

    local = true
    
  5. Save the file and close it.
  6. Restart Splunk Enterprise on the instance.
  7. Run a search with the add-on. You should no longer receive the error message.

Modify SA-LDAPsearch on Splunk Enterprise version 6.3

  1. With a text editor, open the file $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfilter.py for editing.
  2. Within the file, look for one of the following lines:
  3. Example 1:

    @Configuration()
    

    Example 2:

    @Configuration(retainsevents=True)
    
  4. Change the line so that it looks exactly like one of the following:
  5. If you encountered Example 1:

    @Configuration(local=True)
    

    If you encountered Example 2:

    @Configuration(retainsevents=True, local=True)
    

    Note: Python is case sensitive and formatting is important. This means that the formatting must be exactly as shown here, and the T in True must be capitalized.

  6. Save the file and close it.
  7. Repeat this procedure for the following files:
    • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapgroup.py
    • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapsearch.py
    • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfetch.py
    • $SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldaptestconnection.py
  8. Run a search with the add-on. You should no longer receive the error message.
Last modified on 28 April, 2020
PREVIOUS
Release Notes for Splunk Supporting Add-on for Active Directory
  NEXT
Third-party software attributions/credits

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters