All Apps and Add-ons

Splunk Support for Active Directory: Passes test and returns data with OU=x,DC=x,DC=x,DC=x, but why does it fail with DC=x,DC=x,DC=x?

nwieriks
Engager

Configured SA-ldapsearch V2.0.0 with the following configuration to query a Microsoft 2008R2 Domain Controller with all service packs installed to date of posting:

ldap.conf


[default]
server = MSDC01.xxx.yyy.zzz
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false

[xxx.yyy.zzz]
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false

[xxx]
alias = xxx.yyy.zzz

[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz


When the connection is tested it successfully returns: Result: distinguishedName: DC=xxx,DC=yyy,DC=zzz
However the Splunk App for Windows Infrastructure (1.0.4) > Active Directory > Users > User Audit (and many others) doesn't return any data when a valid user is inputted.
When the Active Directory Record - User panel is opened in search the following error is displayed:

*External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapsearch.py"", line 100 : u'attributes'" " *

If the ldap.conf basedn is defined with an OU=sss in-front of the basedn as shown below this error is not shown and the Active Directory Record - User panel returns user values. It also passes the connection test.

ldap.conf


[default]
server = MSDC01.xxx.yyy.zzz
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false

[xxx.yyy.zzz]
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false

[xxx]
alias = xxx.yyy.zzz

[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz


Is this a known issue? Should it work with DC=? Does SA-ldapsearch require an OU= to work and if so how do I configure it with multiple root level OU's?

redcorjo
Explorer

I recognize the instructions of the link provided is explicit informing it is not compatible for LDAP, only AD. It is a pity it does not support, neither plan to support regular LDAP on purpose.

I encourage to extend the LDAP capabilities for this tool. It is a great tool very helpful for automating reports/queries.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

I would expect this query to work, and I think you should file a ticket if the latest maintenance release doesn't work.

0 Karma

redcorjo
Explorer

I have exactly the same problem when using my Unix LDAP query.

distinguishedName: undefined

If I use the same app against of our Windows AD it works fine.

0 Karma

jcoates_splunk
Splunk Employee
Splunk Employee

Sorry that it's got a misleading folder name, but that Add-on only works with MSAD. http://docs.splunk.com/Documentation/SA-LdapSearch/latest/User/Platformandhardwarerequirements#What_...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...