Platform and hardware requirements
This topic discusses the underlying requirements for running the Splunk Supporting Add-on for Active Directory.
Hardware and Operating System requirements
Hardware requirements
The Splunk Supporting Add-on for Active Directory has memory, CPU, and disk requirements that meet standard hardware requirements for the core Splunk Enterprise platform. Deploy hardware that meets or exceeds these hardware requirements.
- For additional details about Splunk Enterprise system requirements, see "System requirements" in the core Splunk Enterprise documentation.
- For information about estimating hardware requirements for a Splunk deployment, see "Introduction to capacity planning for Splunk Enterprise" in the Capacity Planning Manual.
Operating system requirements
You can install the add-on on Splunk Enterprise instances that run a supported operating system. See the list of supported Windows and *nix operating systems.
What versions of Splunk does the add-on support?
The following table provides compatibility information for the Splunk Supporting Add-on for Active Directory versions and supported Splunk platform versions.
| Compatible Splunk platform version | Compatible SA-LDAPSearch version |
|---|---|
| 7.0.x to 7.1.x | 2.1.7 |
| 7.0.x to 7.2.x | 2.1.8 |
| 7.0.x to 7.2.x | 2.2.0 |
| 7.1.x to 7.3.x | 2.2.1 |
| 7.2.x to 8.0.x | 3.0.0 |
| 7.2.x to 8.1.0 | 3.0.1 |
| 7.3.x to 8.2.0 | 3.0.2 |
| 8.0.x to 8.2.0 | 3.0.3 |
| 8.0.x to 9.0.0 | 3.0.4 |
| 8.1.x to 9.0.0 | 3.0.5 |
| 8.1.x to 9.0.x | 3.0.6 |
| 8.1.x to 9.0.x | 3.0.7 |
| 9.1.x or later | 3.0.8 |
| 9.1.x or later | 3.1.0 |
What versions of Active Directory does the add-on support?
The Splunk Supporting Add-on for Active Directory supports the following versions of Active Directory:
- Microsoft Windows Server 2016 Active Directory Domain Services
- Microsoft Windows Server 2019 Active Directory Domain Services
- Microsoft Windows Server 2022 Active Directory Domain Services
The add-on does not support AD Lightweight Directory Services (AD LDS) or other Lightweight Directory Access Protocol (LDAP) server types.
Distributed installation of this add-on
This table provides a quick reference for installing this add-on onto a distributed deployment of Splunk Enterprise.
| Splunk instance type | Supported | Required | Comments |
|---|---|---|---|
| Search Heads | Yes | Yes | The host must have access to the domain controller for the domain or forest you want to get events from. The configurations you make must be identical across the search head and all search peers. |
| Indexers | On search peers only | Depends | If the indexer acts as a search peer, then you must install it on all indexers that act as search peers. The search peers must have access to the domain controller for the domain or forest you want to get events from. Additionally, the configurations you make must be identical across the search head and all other search peers. |
| Heavy Forwarders | Yes | No | In this configuration, you can route events from the add-on to other Splunk Enterprise instances based on the target index, or filter the data to extract only the events you want. |
| Universal Forwarders | No | No | The add-on does not perform any function when you install it on this type of Splunk instance. |
| Light Forwarders | No | No | The add-on does not perform any function when you install it on this type of Splunk instance. Also, light forwarder functionality has been deprecated and could be removed in a future version of the Splunk software. |
Enable the distributed search on on-Prem distributed environment
The custom commands ldapfilter, ldapgroup, and ldapfetch are streaming commands, which can also be executed on the indexers to reduce search time. However, this is not possible OOTB because the custom commands requires the password for the BindDN which is stored in passwords.conf, and, by default, the distributed search is disabled. To enable the distributed search on an on-Prem instance, see the following steps:
- SSH to SH's, and navigate to $SPLUNK_HOME/etc/apps/SA-ldapsearch/local.
- Create a commands.conf file.
- Add the following content to the
commands.conffile:[ldapfilter] local = false [ldapfetch] local = false [ldapgroup] local = false
- Restart Splunk.
Install the add-on on search-peers
Install the Splunk Supporting Add-on for Active Directory on all search-peers. Ensure that the changes done in the commands.conf in the previous section are also available on the search-peers. i.e (local= false).
Perform the test connection on the search-peers
See the following steps to perform the test connection for the domain on each search-peer (which are in cluster or linked):
- Open the configuration page of the SA-ldapsearch add-on and add the domain details.
- Press the test connection button and make sure it is successful. If the test connection failed, there might be an error on some SPL's.
Distributed search is not supported for Cloud Deployments.
Distributed deployment compatibility
This table provides a quick reference for the compatibility of this add-on with Splunk distributed deployment features.
| Distributed deployment feature | Supported | Comments |
|---|---|---|
| Search Head Clusters | Yes | Configure your search head cluster first, then perform an installation of the add-on. The cluster replicates the configurations. |
| Indexer Clusters | No | |
| Deployment Server | Yes | You can deploy the add-on to search heads. |
What are the other prerequisites?
| Capability | Required for |
|---|---|
| admin_all_objects | This capability is required if the user needs to configure the
LDAP domains. |
| list_settings | This capability is required if the user wants to use the LDAP search commands
on the SSL enabled domains, The Add-on requires the list_settings capability to read the sslConfig setting from the server.conf |
| list_storage_password | This capability is required If the user wants to use LDAP search commands. To configure the LDAP domain, the list_storage_password capability is required. |
| How to get support and find more information about Splunk Enterprise | Install the Splunk Supporting Add-on for Active Directory |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.1.0
Download manual
Feedback submitted, thanks!