Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.

Install the Splunk Supporting Add-on for Active Directory

This topic provides instruction on how to install the Splunk Supporting Add-on for Active Directory.

Where to install it

The Splunk Supporting Add-on for Active Directory is designed to be installed across a distributed Splunk platform deployment. It can be installed on:

  • Search heads
  • Search peers when you want to distribute LDAP queries across those peers. Like the search head, the search peers must have access to Active Directory for this to work. If your indexers act as search peers, install the add-on on the indexers. See Install SA-LDAPsearch on the search head and all search peers in this manual for details.
  • Heavy forwarders. The Splunk Supporting Add-on for Active Directory does not perform any function when you install it on a universal or light forwarder.


Distributed deployment

Search head Search peers (Indexers) Heavy Forwarder
x x

Standalone deployment

Search head Search peers (Indexers) Heavy Forwarder
x

In a distributed deployment, install SA-LDAPSearch on the indexer to avoid the following errors:

External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.
The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch

How to install it

In most situations, you can download and install the add-on by using either Splunkbase or the CLI.

Once you install it, you must then configure it.

Install the add-on from the command line

On Splunk Enterprise, you can install the add-on from the command line, using the CLI.

To install the Splunk Add-on for Windows from the command line:

1. Download the Splunk Supporting Add-on for Active Directory from Splunk Apps, if you haven't already.

Note: If you have access to the Internet and have a valid link to where the app package resides, you can use the splunk install command to install the app directly from the Internet:

> cd Program Files\Splunk\bin
> .\splunk install http://server.com:80/files/splunk-support-for-active-directory-xxxx.tar,gz

In this case, you can then proceed to Step 3.

2. Run the splunk install CLI command:

> cd Program Files\splunk\bin
> .\splunk install app <path>\splunk-support-for-active-directory-xxxx.tar.gz
App 'sa-ldapsearch' is installed.

Note: You might have to log into your Splunk Enterprise instance before it installs the app.

3. Configure the Splunk Supporting Add-on for Active Directory.

Install the add-on using Splunkbase

Install the Splunk Supporting add-on for Active Directory only on full instances of Splunk Enterprise. The most common use case for this method of installation is to provide support for another app installed on the same machine. The add-on is not available for installation on universal forwarders or light forwarders.

To install the Splunk Supporting Add-on for Active Directory:

  1. Download the Splunk Supporting Add-on for Active Directory from Splunkbase, if you haven't already.
    The file downloads with a .tar.gz extension. Do not run this file.
  2. Log into Splunk Web on the Splunk Enterprise instance on which you want to install the app.
  3. Once logged in, click 'App from the menu bar.
  4. Click Manage apps...
  5. On the next page, click the Install app from file button.
  6. On the upload screen, click Browse...
  7. Select the downloaded splunk-support-for-active-directory-xxxx.tar.gz file.
  8. Click Open.
  9. Click Upload.
    Splunk Enterprise opens the splunk-support-for-active-directory-xxxx.tar.gz package and installs the application.
  10. Click the Restart Splunk button or the link in the banner to restart Splunk.
  11. A dialog box asking you if you are sure you want to restart Splunk may appear. Click OK to restart Splunk.
  12. Once Splunk restarts, click OK to return to the Splunk login page.
  13. Configure the Splunk Supporting Add-on for Active Directory.


Install the Splunk Supporting Add-on for Active Directory on the deployer

  1. In a web browser, proceed to the Splunk Supporting Add-on for Active Directory.
  2. Click the download link to begin the download process. You might need to sign in with your Splunk account before the download starts.
  3. When prompted, choose an accessible location on your deployment server to save the download. Do not attempt to run the download.
  4. Use an archive utility such as WinZip or tar to unarchive the file to the %SPLUNK_HOME%/etc/shcluster/apps directory on the deployer.
  5. Run the following command to push the changed configurations to the members:
%SPLUNK_HOME%/bin/splunk apply shcluster-bundle -target https://<SH_IP>:<management_port>

"Don't configure the add-on using the UI on the deployer if you want to push configurations to search head cluster."

Last modified on 18 July, 2024
Platform and hardware requirements   Configure the Splunk Supporting Add-on for Active Directory

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.8


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters