Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.

The ldap.conf configuration file

Beginning with version 2.0.1, the Splunk Supporting Add-on for Active Directory no longer allows configuration though ldap.conf. Use the Configuration page to make edits to the add-on configuration.

When you upgrade from a previous version, the add-on saves your ldap.conf into the new configuration format (storage passwords).

The following text remains for reference only. However, to use the Base64-encode attributes, the ldap.conf file can be edited to prepend the attribute value with {64}.

The ldap.conf configuration file

Within the file are a series of stanzas - one for each domain that you need to monitor. When configuring ldap.conf, remember to configure both the "DNS-style" and the "NetBIOS-style" names for each Active Directory domain.

There are two forms of stanza in ldap.conf.

Informational stanza

The informational stanza specifies all the information necessary to connect to the domain. Here is an example:

[spl.com]
server = 192.168.50.1,192.168.50.2
port = 636
ssl = true
basedn = dc=spl,dc=com
binddn = cn=Splunk Searcher,cn=Users,dc=spl,dc=com
password = {64}u9435tr8ujtgfnkjscc
alternatedomain = SPL

The valid attributes for the informational stanza are:

Attribute Description Default
server=<server1>,<server2>;… Specifies the server or servers you want to connect to. Separate multiple servers with commas. n/a
port Specifies the LDAP port on the servers that you want to connect. 636 (when ssl is true)

389 (when ssl is false)

ssl=true/false Specifies whether or not to use Secure Sockets Layer for communications. false
basedn Specifies the LDAP base Distinguished Name to use when connecting. n/a
binddn Specifies the LDAP binding Distinguished Name (the user account) to use when connecting. n/a
password (deprecated) Specifies the password for the user that you specified in binddn. Allows for a cleartext password or a Base-64-encoded password when prefaced with the string {64}. n/a
alternatedomain Specifies the NetBIOS domain that this domain represents. n/a
decode Specifies whether or not the add-on uses Active Directory formatting extensions. Set to true to enable formatting extensions, and false to disable them. Do not set this attribute unless you understand the ramifications of doing so. true
paged_size Specifies the number of entries to return in a single page of LDAP search results. Do not set this attribute unless you understand the ramifications of doing so. 1000

Specify multiple servers

You can specify multiple servers by including a list of hosts separated by commas. In this case, SA-ldapsearch uses the fastest available connection. In this case, the server that SA-ldapsearch uses might vary from command to command. You can turn on debug mode to find out which server a particular command uses. Once a command has started on a server, it uses that server until it completes.

The port and ssl parameters are optional. If you do not specify them, SA-ldapsearch uses port 389 and no SSL by default. SA-ldapsearch uses SSL only for encryption and not for authentication. SA-ldapsearch trusts all server side SSL certificates.

The bind Distinguished Name (binddn attribute) is a user within the domain you want to monitor. It must be a user that has at least read access to all attributes and entries that you want to read with any application that uses it.

Base64-encode attributes for added security

The password attribute should be set to the password for the user specified in the binddn attribute. You can use a plain text password, or a base64-encoded one by specifying {64} before the password.

Any attribute can be encoded as Base-64, including the binddn attribute. If your binddn has a special character in it, then use Base-64 encoding to store it.

Note: If you want to base64-encode an attribute, you must use a base-64 encoder to encode the entry for that attribute, and then assign the attribute with the results, preceded by {64}. Simply placing the {64} qualifier before the plain text value will not work.

'Default' stanza

To support context lookups in the "ldapfetch" command, you will also need a "default" stanza that lists a forest-level Global Catalog server by its IP address. In this case, you must specify the port to the Global Catalog. Following is an example:

[default]
server = 172.20.1.2
port = 3268

The Splunk Supporting Add-on for Active Directory has been tested to work with up to 100 domains. However, there is no built-in limit on the number of domains that the add-on can support.

Last modified on 16 March, 2023
Troubleshoot the Splunk Supporting Add-on for Active Directory   Data and source types for the Splunk Supporting Add-on for Active Directory

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.7


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters