All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Support for Active Directory: "ERROR The default configuration stanza for ldap.conf is missing." using ldapfetch in a distributed search environment

bleinfelder
Path Finder
‎10-14-2015 03:22 AM

Hi there,

I installed SA-ldapsearch as decsribed in the docs on the search head in my distributed environment. When I run a simple ldapsearch, everything works just fine.

Now I want to query stuff from my indexers and feed the results into ldapfetch (idea: find windows groups in a log and use ldapfetch to find the members of that group).

Search head and indexers run on different machines.

I get the following errors from my indexers:

[map]: [PRDS0052] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "
[map]: [PRDS0053] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "

How can I prevent the ldap command from run on the indexers? For the lookup command, there is a "local" attribute. I cannot find sth like that in ldapfetch.

Any idea?

Best,

Bernd

Reply

sarmstrong_splu
Splunk Employee
Splunk Employee
‎11-30-2015 07:40 AM

Assuming that (1) you're on Splunk 6.3 and (2) the SH has got access to ActiveDirectory this problem is easily solved by a one line change to each of the files: sa-ldapsearch/bin/
{ldapfilter.py,ldapgroup.py,ldapsearch.py,ldapfetch.py, ldaptestconnection.py}

Here’s the change to make in each file:
Change this:

@Configuration()

to:

@Configuration(local=True)

[If you already have something within the ()'s, just add the local=True to what's already there.]

If you’re running on Splunk 6.2 or lower, you should add this line to each stanza in sa-ldapsearch/default/command.conf:
local = true

Save the files and restart the Splunk instance on the Search Head(s). Retest to verify the workaround worked.

Reply

Michael
Contributor
‎10-25-2017 07:55 AM

Thank you!

But, not knowing Python, I burnt some cycles on the adding of "local=True" to things already there. To help my next comrade from not falling for this, but sure to use a comma to separate multiple entries in the Configuration parameters. I.E.:

ldapsearch.py:@Configuration(retainsevents=True, local=True)
ldaptestconnection.py:@Configuration(retainsevents=True, local=True)
ldapfetch.py:@Configuration(local=True)
ldapfilter.py:@Configuration(local=True)
ldapgroup.py:@Configuration(local=True)

0 Karma
Reply
Get Updates on the Splunk Community!

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...