The ldap.conf configuration file
Beginning with version 2.0.1, the Splunk Supporting Add-on for Active Directory no longer allows configuration though ldap.conf
. Use the Configuration page to make edits to the add-on configuration.
When you upgrade from a previous version, the add-on saves your ldap.conf
into the new configuration format (storage passwords).
The following text remains for reference only. However, to use the Base64-encode attributes, the ldap.conf file can be edited to prepend the attribute value with {64}.
The ldap.conf configuration file
Within the file are a series of stanzas - one for each domain that you need to monitor. When configuring ldap.conf
, remember to
configure both the "DNS-style" and the "NetBIOS-style" names for each Active Directory domain.
There are two forms of stanza in ldap.conf
.
Informational stanza
The informational stanza specifies all the information necessary to connect to the domain. Here is an example:
[spl.com] server = 192.168.50.1,192.168.50.2 port = 636 ssl = true basedn = dc=spl,dc=com binddn = cn=Splunk Searcher,cn=Users,dc=spl,dc=com password = {64}u9435tr8ujtgfnkjscc alternatedomain = SPL
The valid attributes for the informational stanza are:
Attribute | Description | Default |
---|---|---|
server=<server1>,<server2>;…
|
Specifies the server or servers you want to connect to. Separate multiple servers with commas. | n/a
|
port
|
Specifies the LDAP port on the servers that you want to connect. | 636 (when ssl is true )
|
ssl=true/false
|
Specifies whether or not to use Secure Sockets Layer for communications. | false
|
basedn
|
Specifies the LDAP base Distinguished Name to use when connecting. | n/a
|
binddn
|
Specifies the LDAP binding Distinguished Name (the user account) to use when connecting. | n/a
|
password (deprecated)
|
Specifies the password for the user that you specified in binddn . Allows for a cleartext password or a Base-64-encoded password when prefaced with the string {64} .
|
n/a
|
alternatedomain
|
Specifies the NetBIOS domain that this domain represents. | n/a
|
decode
|
Specifies whether or not the add-on uses Active Directory formatting extensions. Set to true to enable formatting extensions, and false to disable them. Do not set this attribute unless you understand the ramifications of doing so. | true
|
paged_size
|
Specifies the number of entries to return in a single page of LDAP search results. Do not set this attribute unless you understand the ramifications of doing so. | 1000
|
Specify multiple servers
You can specify multiple servers by including a list of hosts separated by commas. In this case, SA-ldapsearch uses the fastest available connection. In this case, the server that SA-ldapsearch uses might vary from command to command. You can turn on debug mode to find out which server a particular command uses. Once a command has started on a server, it uses that server until it completes.
The port
and ssl
parameters are optional. If you do not specify them, SA-ldapsearch uses port 389 and no SSL by default.
SA-ldapsearch uses SSL only for encryption and not for authentication. SA-ldapsearch trusts all server side SSL certificates.
The bind Distinguished Name (binddn
attribute) is a user within the domain you want to monitor. It must be a user that has at least read access to all attributes and entries that you want to read with any application that uses it.
Base64-encode attributes for added security
The password
attribute should be set to the password for the user specified in the binddn
attribute. You can use a plain text password, or a base64-encoded one by specifying {64}
before the password.
Any attribute can be encoded as Base-64, including the binddn
attribute. If your binddn
has a special character in it, then use Base-64 encoding to store it.
Note: If you want to base64-encode an attribute, you must use a base-64 encoder to encode the entry for that attribute, and then assign the attribute with the results, preceded by {64}
. Simply placing the {64}
qualifier before the plain text value will not work.
'Default' stanza
To support context lookups in the "ldapfetch" command, you will also need a "default" stanza that lists a forest-level Global Catalog server by its IP address. In this case, you must specify the port to the Global Catalog. Following is an example:
[default] server = 172.20.1.2 port = 3268
The Splunk Supporting Add-on for Active Directory has been tested to work with up to 100 domains. However, there is no built-in limit on the number of domains that the add-on can support.
Troubleshoot the Splunk Supporting Add-on for Active Directory | Data and source types for the Splunk Supporting Add-on for Active Directory |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.0.8
Feedback submitted, thanks!