Configured SA-ldapsearch V2.0.0 with the following configuration to query a Microsoft 2008R2 Domain Controller with all service packs installed to date of posting:
ldap.conf
[default]
server = MSDC01.xxx.yyy.zzz
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false
[xxx.yyy.zzz]
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false
[xxx]
alias = xxx.yyy.zzz
[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz
When the connection is tested it successfully returns: Result: distinguishedName: DC=xxx,DC=yyy,DC=zzz
However the Splunk App for Windows Infrastructure (1.0.4) > Active Directory > Users > User Audit (and many others) doesn't return any data when a valid user is inputted.
When the Active Directory Record - User panel is opened in search the following error is displayed:
*External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapsearch.py"", line 100 : u'attributes'" " *
If the ldap.conf basedn is defined with an OU=sss in-front of the basedn as shown below this error is not shown and the Active Directory Record - User panel returns user values. It also passes the connection test.
ldap.conf
[default]
server = MSDC01.xxx.yyy.zzz
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false
[xxx.yyy.zzz]
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false
[xxx]
alias = xxx.yyy.zzz
[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz
Is this a known issue? Should it work with DC=? Does SA-ldapsearch require an OU= to work and if so how do I configure it with multiple root level OU's?
I recognize the instructions of the link provided is explicit informing it is not compatible for LDAP, only AD. It is a pity it does not support, neither plan to support regular LDAP on purpose.
I encourage to extend the LDAP capabilities for this tool. It is a great tool very helpful for automating reports/queries.
I would expect this query to work, and I think you should file a ticket if the latest maintenance release doesn't work.
I have exactly the same problem when using my Unix LDAP query.
distinguishedName: undefined
If I use the same app against of our Windows AD it works fine.
Sorry that it's got a misleading folder name, but that Add-on only works with MSAD. http://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Platformandhardwarerequirements#What_...