Hi all,
We have this architecture:
One search head and Two Indexers
We installed SA-Ldapsearch on our Indexers only, as only Indexers have access to our LDAP for qurying Active Directory.
How to use our search head to perform queris on Active Directory based on search returned by Indexers?
Indeed, Search Head doesn't have access to the Active Directory.
We assume that it is possible to use search peers to launch the query and then provide the result of the search to the Search Head.
Do you have any suggestion?
Thanks in advance.
SA-ldapsearch ONLY has to be in your Search Head tier. Please note, this app is used for querying via Splunk GUI and NOT for integrating to Splunk user authentication (which many people wrongly assume).
So the two ways i can think of are in order of preference.
1. Request Firewall Access for your Search Head to LDAP
2. swap your indexer to SH if they are same powerful boxes & storage
2. Request UI access for one indexer (not ideal) and may be one or two person can have special permissions to run LDAP query
(PS: I'm not a fan of SA-ldapsearch as it is too slow imo)