Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Download manual as PDF

Download topic as PDF

Install the Splunk Supporting Add-on for Active Directory

This topic provides instruction on how to install the Splunk Supporting Add-on for Active Directory.

Where to install it

The Splunk Supporting Add-on for Active Directory is designed to be installed across a distributed Splunk platform deployment. It can be installed on:

  • Search heads
  • Search peers (indexers) when you want to distribute LDAP queries across those peers. Like the search head, the search peers must have access to Active Directory for this to work. See Install SA-LDAPsearch on the search head and all search peers in this manual for details.
  • Heavy forwarders. The Splunk Supporting Add-on for Active Directory does not perform any function when you install it on a universal or light forwarder.


Distributed deployment

Search head Search peers (Indexers) Heavy Forwarder
x x x

Standalone deployment

Search head Search peers (Indexers) Heavy Forwarder
x x

How to install it

In most situations, you can download and install the add-on by using either Splunkbase or the CLI.

Once you install it, you must then configure it.

Install the add-on from the command line

On Splunk Enterprise, you can install the add-on from the command line, using the CLI.

To install the Splunk Add-on for Windows from the command line:

1. Download the Splunk Supporting Add-on for Active Directory from Splunk Apps, if you haven't already.

Note: If you have access to the Internet and have a valid link to where the app package resides, you can use the splunk install command to install the app directly from the Internet:

> cd Program Files\Splunk\bin
> .\splunk install http://server.com:80/files/splunk-support-for-active-directory-xxxx.tar,gz

In this case, you can then proceed to Step 3.

2. Run the splunk install CLI command:

> cd Program Files\splunk\bin
> .\splunk install app <path>\splunk-support-for-active-directory-xxxx.tar.gz
App 'sa-ldapsearch' is installed.

Note: You might have to log into your Splunk Enterprise instance before it installs the app.

3. Configure the Splunk Supporting Add-on for Active Directory.

Install the add-on using Splunkbase

Install the Splunk Supporting add-on for Active Directory only on full instances of Splunk Enterprise. he most common use case for this method of installation is to provide support for another app installed on the same machine. The add-on is not available for installation on universal forwarders or light forwarders.

To install the Splunk Supporting Add-on for Active Directory:

1. Download the Splunk Add-on for Windows from Splunkbase, if you haven't already.

Note: The file downloads with a .tar.gz extension. Do not attempt to run this file. You install it from within Splunk Enterprise.

2. Log into Splunk Web on the Splunk Enterprise instance on which you want to install the app.

3. Once logged in, click the App menu from the upper right menu bar, and select Manage apps...

4. On the next page, click the Install app from file button.

5. On the Upload a file screen, click Browse...

6. Locate the downloaded splunk-support-for-active-directory-xxxx.tar.gz file and click Open.

7. Click Upload.

Splunk Enterprise opens the splunk-support-for-active-directory-xxxx.tar.gz package and installs the application.

8. Click the Restart Splunk button or the link in the banner to restart Splunk.

Note: A dialog box asking you if you are sure you want to restart Splunk may appear. Click OK to restart Splunk.

9. Once Splunk restarts, click OK to return to the Splunk login page.

10. Configure the Splunk Supporting Add-on for Active Directory.

PREVIOUS
Platform and hardware requirements
  NEXT
Configure the Splunk Supporting Add-on for Active Directory

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0


Comments

Thanks! If you hunt around, most of the info is there it's just doesn't "flow".

Dfronck
January 25, 2019

Hi Dfronck,
Thanks for the feedback. I'll contact the SA-LDAPSearch team to provide more information based on your suggestions, and update the page when I hear back.

Nicolen splunk, Splunker
January 25, 2019

I must say that I agree with Sideview's comment from October 31, 2017 that "the whole page needs some holistic thinking again".

For such an important TA with a fairly complex install/configuration, this document is pretty inadequate.
Where's the info for installing on Search Head Clusters?
Where's the upgrade info?
Where's the part about needing to have this installed, but not configured, on the Indexers so you don't get errors. Oh right, it's where it belongs in the release notes under Workaround for default configuration stanza errors in distributed environments. There's also a suggestion to copy
/opt/splunk/etc/apps/SA-ldapsearch/default/commands.conf to /opt/splunk/etc/apps/SA-ldapsearch/local/commands.conf and then set all the "local = false" to "local = true" but that didn't seem to actually work when we tried it.

Anyway, I have to stop complaining now and finish my upgrades so I can take advantage of the new Splunk provided ldap3 package so searches don't take forever!

Dfronck
January 25, 2019

the "Where to install it" is somewhere between very confusing, and wrong.

the "Where to install it" title implies that the following bullet list is the list of places to install it. It's not. Note that the third bullet for HF, it actually says there's no need to install it there, and implies you should not.

Note the very next tables that summarize this for both "Distributed deployment" and "Standalone deployment" -- BOTH of them have an "x" under "Heavy forwarder". The only way to read this, is that it's saying you have to install this app on HF instances, which is not true.

Kinda feels like this got some little tactical edits as the app's requirements changed over time, and the whole page needs some holistic thinking again.

Cheers,

Sideview
October 31, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters