Cheers, but this is just using the test connection button on the configuration page.
Below is my ldap.conf
[domain.com]

server = server.domain.com
port = 636
ssl = 1
basedn = dc=domain,dc=com
binddn = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com
password =
alternatedomain = domain

[corp.domain.com]
alternatedomain = corp.domain
basedn = DC=corp,DC=domain,DC=com
binddn = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com
port = 636
server = ATL-PRD-ADC-003.corp.domain.com
ssl = 1

Is that really your bind DN?

binddn = CN=splunkadsearch\, svc,CN=Users,DC=domain,DC=com

I wonder if the comma there, even when escaped, it's causing all the problems. Can you test this using a different account that doesn't contain special characters and see if that works?

Also:

• Is your AD listening on port 636, which is default for SSL?
• Have you looked at the content of $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log?
• The password property seems to be deprecated in the latest versions so not sure if that should be there if it's empty. See this.

Hope that helps,
J

I've got that bind dn working as my ldap authentication bind dn connecting splunk to my AD to allow ldap logins.
I've also copied this ldap.conf to a test server, which communicates successfully with the ldap server using sa-ldapsearch.
636 is open to the ldap server from this splunk server. I've also removed the password = line, no help.
Frustrating. Thanks for responding.
Whoops, forgot your other question. Sa-ldapsearch.log is not updating. Where do I set the log option for sa-ldapsearch?

Hi,

Logs should be populated automatically. If that's not happening it means there's probably something wrong with your installation.

• If your test environment is working fine with the same version, try using a diff tool to compare both app directories and see what's different between them
• If that doesn't help, then uninstall and erase the app directory completely and try the latest version (2.1.2) released last week. Make sure you read the instructions carefully.
• If you are still getting errors, where are they showing up? Are they part of the configuration or just happening when you run ldapsearch? If the latter, have you tried any other commands? can you paste some of the searches you are running?

Hope that helps. Let me know how it goes.

Thanks,
J

Copied the SA-ldapsearch from the test server to the correct environment, got the following error:
Search
| ldaptestconnection domain="domainname"
Result
distinguishedName: CN=Users,DC=domainname,DC=com
Error
Cannot find the configuration stanza for domain=domainname in ldap.conf.

Updated the correct server to 2.1.2, and I got the same error. Where is it looking for ldap.conf? /opt/splunk/etc/apps/SA-ldapsearch/local/ldap.conf has the following:
[domainname]
alternatedomain = domainname.com
basedn = CN=Users,DC=domainname,DC=com
port = 636
server = satlit-dcroot1.domainname.com
ssl = 1
binddn = CN=splunkadsearch\, svc,CN=Users,DC=domainname,DC=com

Also, I'm still not getting sa-ldap.log in /opt/splunk/var/log/splunk, even with the updated program.

You shouldn't copy whole apps between environments without removing local conf files first. The ldap app for instance will be hashing your user password using a locally generated key so it won't work in your environment.

Try editing the domain via the GUI and retyping your password. Also test the connection from there. See this

Once your connection test is fine, try ldapsearch again and it that doesn't work try other commands.

If nothing of above works, run a diff tool in order to compare TEST and PRODUCTION environments and see what's different.

Retyped the connection information in the GUI, and got the same error

| ldaptestconnection domain="domainname"
Result
distinguishedName: CN=Users,DC=domainname,DC=com
Error
Cannot find the configuration stanza for domain=domainname in ldap.conf.

Here's the diff prod <->test
Only in SA-ldapsearch/bin: commons-lang3-3.1.jar
Only in SA-ldapsearch/bin: customcommands.jar
Files SA-ldapsearch/bin/default.pyc and SA-ldapsearch-SB/bin/default.pyc differ
Only in SA-ldapsearch/bin: gson-2.2.2.jar
...
Only in SA-ldapsearch/bin: unboundid-ldapsdk-2.3.1-se.jar
diff -r SA-ldapsearch/default/app.conf SA-ldapsearch-SB/default/app.conf
1,7d0
< # Autogenerated file
< [install]
< state = enabled
< is_configured = 0
< build = 64
< install_source_checksum = 93d6a3980528ab75ba7f5dc8cf27645783e8b8c9
<
18a12,17
>
> [install]
> state = enabled
> is_configured = 0
> build = 64
> install_source_checksum = 55deaf133c71603df00725c417e69ff05acb4a6d
diff -r SA-ldapsearch/default/ldap.conf SA-ldapsearch-SB/default/ldap.conf
1,9c1,4
< [domainname.com]
< #server = SATLIT-DCROOT1.domainname.com;Mar-prd-ads-001.domainname.com
< server = SATLIT-DCROOT1.domainname.com
< port = 389
< ssl = false
< basedn = dc=alere,dc=com
< binddn = cn=svcsplunkadsearch,cn=Users,dc=domainname,dc=com
< password = {64}M3dhZmZsZXNvblRVRVM=
< alternatedomain = domainname
---
> # Default configuration file for SA-ldapsearch commands
>
> # To learn more about configuration files (including precedence) please see the documentation located at
> # http://docs.splunk.com/Documentation/Splunk/latest/Admin/Aboutconfigurationfiles.
12,14c7,56
< server = SATLIT-DCROOT1.domainname.com
< port = 389
< ssl = false
---
> # Represents the default domain for LDAP queries
>
> # [splunk.com]
> # Create a stanza like this for each additional domain you wish to query
> # The stanza name should be the DNS name of the domain.
>
> # alternatedomain = SPLUNK
> # Alternate domain name of the domain.
> # By convention this name is set to the NetBIOS name of the domain. It must be unique in the scope of ldap.conf. You
> # may use either the stanza name or the alternatedomain name to identify the domain in SA-ldapsearch commands. See
> # the domain option.
> # A value is required.
>
> # basedn = DC=splunk,DC=com
> # Distinguished name of the domain.
> # By convention this name should be unique in the scope of ldap.conf.
> # A value is required.
>
> # server = host1,host2,host3
> # Comma-separated list of distributed LDAP server replica host names.
> # A host name in round-robin fashion starting with a random pick.
> # A value is required.
>
> # ssl = false
> # True to enable SSL; otherwise, false.
> # Defaults to false.
>
> # port = 389
> # Port number.
> # Defaults to 636, if ssl is enabled; otherwise 389.
>
> # binddn = cn=Splunker,OU=Managed Service Accounts,DC=splunk,DC=com
> # Distinguished name for binding to the LDAP directory service.
> # The password used for simple authentication should be encrypted and saved to local/app.conf using the
> # POST storage/passwords endpoint with name = and realm = SA-ldapsearch.
>
> # password = {64}Y2hhbmdlbWU=
> # Deprecated: The password used for simple authentication.
> # Cleartext or Base64 encoded password for simple authentication. Base64 encoding is indicated by prefixing {64}.
> # If a storage password with name = and realm = SA-ldapsearch also exists, this setting is ignored.
> # See http://docs.splunk.com/Documentation/Splunk/latest/RESTREF/RESTaccess#POST_storage.2Fpasswords_metho....
>
> # decode = true
> # True to enable Active Directory formatting extensions; otherwise false.
> # The default is true.
>
> # paged_size = 1000
> # Maximum number of entries to return in a single page of LDAP search results.
> # The default is 1000. This is the default maximum page size permitted by Active Directory. See LDAP policies at
> # http://technet.microsoft.com/en-us/library/cc770976.aspx.
Only in SA-ldapsearch: default.old.20151022-121316
Only in SA-ldapsearch: default.old.20151111-210826
diff -r SA-ldapsearch/local/app.conf SA-ldapsearch-SB/local/app.conf
1d0
< # Autogenerated file
3d1
< state = enabled
4a3,5
>
> [credential:SA-ldapsearch:domainname:]
> password = $1$HbfahK78XQyqXQLPRnjU
diff -r SA-ldapsearch/local/ldap.conf SA-ldapsearch-SB/local/ldap.conf
1,3c1,3
< [alere.com]
< #server = SATLIT-DCROOT1.domainname.com;Mar-prd-ads-001.domainname.com
< server = SATLIT-DCROOT1.domainname.com
---
> [alere]
> alternatedomain = domainname.com
> basedn = CN=Users,DC=domainname,DC=com
4a5
> server = atl-prd-ads-001.domainname.com
6d6
< basedn = dc=domainname,dc=com
8,22d7
< password =
< alternatedomain = domainname
<
< [default]
< server = SATLIT-DCROOT1.domainname.com
< port = 389
< ssl = false
<
< [corp.alere.com]
< alternatedomain = corp.domainname
< basedn = DC=corp,DC=domainname,DC=com
< binddn = CN=splunkadsearch\, svc,CN=Users,DC=domainname,DC=com
< port = 636
< server = ATL-PRD-ADC-003.corp.domainname.com
< ssl = 1
Only in SA-ldapsearch/local: passwords.conf
diff -r SA-ldapsearch/metadata/default.meta SA-ldapsearch-SB/metadata/default.meta
1,4d0
< [app/install/state]
< version = 5.0.1
< modtime = 1365297870.967600000
<
diff -r SA-ldapsearch/metadata/local.meta SA-ldapsearch-SB/metadata/local.meta
1,4d0
< [app/install/state]
< version = 5.0.1
< modtime = 1365297870.967600000
<
6,11c2,3
< version = 6.3.0
< modtime = 1447294106.976317000
<
< [ldap/alere.com]
< version = 6.3.0
< modtime = 1449855223.410913000
---
> version = 6.2.5
> modtime = 1450203497.383257000
14,15c6,12
< version = 6.3.0
< modtime = 1449855473.613261000
---
> version = 6.2.5
> modtime = 1450210053.384149000
>
> [ldap/domainname]
> owner = admin
> version = 6.2.5
> modtime = 1450210053.365742000
17,20c14,17
< [ldap/corp.domainname.com]
< owner = manderson
< version = 6.3.0
< modtime = 1449855473.581998000
---
> [app/credential%3ASA-ldapsearch%3Adomainname%3A]
> owner = admin
> version = 6.2.5
> modtime = 1450210053.368359000
Only in SA-ldapsearch: .settings

Hi, I can't see anything obvious there and I'm running out of ideas.

Take a look at the following links and see if that helps:

• https://answers.splunk.com/answers/312136/after-upgrading-to-splunk-63-why-is-the-splunk-sup.html -> particularly the first answer

• http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

• https://answers.splunk.com/answers/318078/splunk-support-for-active-directory-error-the-defa.html

If none of the above works I would either raise it with Splunk or wait for someone else to reply here.

Thanks,
J

Yeah, I'll update all the hosts to the latest ldapsearch.

Thanks a lot for looking at this, I appreciate it. I'll open a ticket soon.

Banderson, I don't know, if you opened the ticket.
In my case, I was installing the SA-ldapsearch on search head... but, the correct is installing on indexer..

that corrected my problem