Splunk Search

External search command 'ldapfetch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/DOMAIN. "

msteffes
New Member

I keep receiving the error "External search command 'ldapfetch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/DOMAIN.' " . I included my ldap.conf file changing our domain to just domain. I have tried the stanza [domain.com] in all caps and lowercase, the domain in alternatedomain = has been uppercase and lowercase as well. We have one search head, one indexer and one deployment server. I have SA-ldapsearch installed on $Splunk_Home/etc/apps/ on both search head and indexer, I have also tried it without it installed on the indexer. As a side question is it only required to be on the search head or does it need to be on the indexer as well? Also, it doesn't need to be installed on any of the domain controllers either correct?

[default]
server = dc1.domain.com
port = 389

[domain.com]
server = dc1.domain.com,dc2.domain.com
port = 389
ssl = false
basedn = DC=domain,DC=com
binddn = CN=spl user,OU=Splunk,OU=System accounts,OU=Departments and Categories,DC=domain,DC=com
password = password
alternatedomain = DOMAIN

I have tried the solution below and still receive the same message.
https://answers.splunk.com/answers/318078/splunk-support-for-active-directory-error-the-defa.html

0 Karma

msteffes
New Member

SA-ldapsearch only needs to be installed on the search head. Recommended best practice by support was to add 'local = true' to the commands.conf file from http://docs.splunk.com/Documentation/SA-LdapSearch/2.1.8/User/Workaroundfordefaultconfigstanzaerrors... . This tells splunk to only initiate queries from the search head and doesn't distribute queries on any search peers. The cause of the error "'ldapfetch' returned error code 1. Script output = "error_message=Missing required value for alternatedomain in ldap/DOMAIN.' " was becasue under the App "Splunk Supporting Add-on for Active Directory" under configuration we did not have any entries setup for "default". We only had our domain setup. We deleted the domain configuration and entered the setup under default.

0 Karma

msteffes
New Member

We are running Splunk version 7.0.3 with Splunk App for Windows Infrastructure version 1.4.4 build 799. This is happening with the search string "|secrpt-all-orgunits(DOMAIN)" The search is from using Active Directory>Organizational Units>Organizational Unit Reports>Org Units: ALL from within the Splunk App for Windows Infrastructure.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...