Workaround for default configuration stanza errors in distributed environments
Troubleshoot the Splunk Supporting Add-on for Active Directory (SA-LDAPsearch) when the add-on returns an error message about a missing configuration stanza when it runs in a distributed Splunk Enterprise or Splunk Cloud environment.
In a standard Splunk Enterprise environment, SA-LDAPsearch connects to Active Directory and retrieves user records on a search head. In a distributed environment or a Splunk Cloud deployment, the add-on can be configured to distribute search commands across search peers that the search head manages.
Because SA-LDAPsearch must have direct access to the Active Directory domain controllers, any distribution of the add-on requires the hosts where you distribute the app also to have access to Active Directory. As well, the add-on must have the exact same configuration on the search peers that it has on the search head.
Distributed search on a cloud deployment is not supported.
Problem
When you run queries with SA-LDAPsearch in a distributed Splunk Enterprise or Splunk Cloud environment, you receive the following error message:
External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing.
You might also receive a message like:
The default configuration stanza for ldap.conf is missing: HTTP 404 Not Found - Application does not exist: SA-ldapsearch
You check ldap.conf
on the search head, and the [default]
stanza is present.
Cause
The problem is caused by how SA-LDAPsearch handles distributed LDAP search queries.
Workaround
Try the following troubleshooting steps to work around this problem.
For a distributed environment: Install SA-LDAPsearch on the search head and all search peers
You can configure SA-LDAPsearch on the search head and any search peers. It ensures that the configuration is the same across all of the peers.
This workaround is only applicable for a distributed environment.
- Install SA-LDAPsearch using Splunk Web.
- Configure the add-on with Splunk Web by adding a domain to the SA-LDAPsearch configuration.
- Click the Test connection button in the configuration page to confirm that the add-on can connect to the Active Directory domain you specified.
- Once the test succeeds, click Save to save the configuration.
- Repeat this process for all search peers in the deployment.
Modify SA-LDAPsearch to make only local queries
You can also modify the SA-ldapsearch
add-on directly to use only local queries. When you complete the modification, the add-on performs all queries from the search head, and does not attempt to distribute the queries on any search peers. Use this option if you do not want to install the add-on into the search peers.
Caution: The following steps require that you make changes directly to the add-on. If you do not make the changes correctly, you might render the add-on unstable or unusable. Restricting LDAP queries to the search head only can result in degraded search performance. Upgrading the Splunk Supporting Add-on for Active Directory might reverse these changes. If you are either unsure or uncomfortable about making the changes, contact your Splunk support representative for assistance.
- Use your operating system file management tools to create
$SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf
. The easiest way is to copy only the stanzas of$SPLUNK_HOME\etc\apps\SA-Ldapsearch\default\commands.conf
that are needed for your Splunk platform deployment and add them to your\local\commands.conf
file. - Use a text editor to open
$SPLUNK_HOME\etc\apps\SA-Ldapsearch\local\commands.conf
for editing. - In each stanza within this file, change the following entry:
- Save the file and close it.
- Restart Splunk Enterprise on the instance.
- Run a search with the add-on. You should no longer receive the error message.
local = false
to
local = true
Modify SA-LDAPsearch on Splunk Enterprise version 6.3
- With a text editor, open the file
$SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfilter.py
for editing. - Within the file, look for one of the following lines:
- Change the line so that it looks exactly like one of the following:
- Save the file and close it.
- Repeat this procedure for the following files:
$SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapgroup.py
$SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapsearch.py
$SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldapfetch.py
$SPLUNK_HOME\etc\apps\SA-ldapsearch\bin\ldaptestconnection.py
- Run a search with the add-on. You should no longer receive the error message.
Example 1:
@Configuration()
Example 2:
@Configuration(retainsevents=True)
If you encountered Example 1:
@Configuration(local=True)
If you encountered Example 2:
@Configuration(retainsevents=True, local=True)
Note: Python is case sensitive and formatting is important. This means that the formatting must be exactly as shown here, and the T
in True
must be capitalized.
Release Notes for Splunk Supporting Add-on for Active Directory | Third-party software attributions/credits |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.1.1
Feedback submitted, thanks!