Ldapsearch / ActiveDriectory app issue

ofgem_bird — Tue, 18 Jun 2013 09:26:17 GMT

I am having an issue with the ldapsearch functionality under the Active directory app in Splunk.

I have been trying to get it to enumerate groups correctly. In certain circumstances I can get it to display all groups under Security > Reports > Security Groups - all.

This appears to return the correct values, however it appears to be struggling to enumerate group membership, if I run the report for Security > Reports > Security Groups - Empty it merely returns the same group listing regardless of whether the group is empty or not. (This only works if I use a single domain in the ldap.conf (with the 3 required stanzas as well as the default stanza)

I have a domain forest and a child domain. So presumably the ldap.conf should look something like this. (where forest is x.y.z and child domain is w.x.y.z)

[x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=x,DC=y,DC=z
password=password

[X]
alias=x.y.z

[DC=x,DC=y,DC=z]
alias=x.y.z

[w.x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=w,DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=w,DC=x,DC=y,DC=z
password=password

[W]
alias=w.x.y.z

[DC=W,DC=X,DC=Y.DC=Z]
alias=w.x.y.z

[default]
server=servername1
port=389
ssl=false

However, when running in this configuration I see the following errors in the sa-ldapsearch.log file.

[com.splunk.program.LDAPSearch:main#-1] ERROR Exception com.unboundid.ldap.sdk.LDAPSearchException thrown: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
    ref 1: 'w.x.y.z'

Followed by a series of ERROR stack traces:

[com.splunk.program.LDAPSearch:main#-1] ERROR Stack Trace com.unboundid.ldap.sdk.LDAPConnection.search (3112)

If I revert to having just w.x.y.z and [default] removing [x.y.z] then some functionality is restored but I get the following errors logged in the log file.

[com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry dc=x,dc=y,dc=z in ldap.conf

AND

[com.splunk.program.LDAPGroups:Execute#-1] WARNING Context for CN=Group,CN=Directory Element,DC=w,DC=x,DC=y,DC=z was not found - dumping and skipping

Any help in untangling this would be most useful, running on Windows, Java 1.7, Splunk 5.0.2, AD App v1.1.4, ldapsearch v1.1.9.

Re: Ldapsearch / ActiveDriectory app issue

mibrahim_splunk — Wed, 19 Jun 2013 01:37:43 GMT

im having the same issue as this as well. Seeing the same error messages in my internal index

When i test the |ldapsearch command i get no results returned but i dont get an error to indicate ldapsearch is not working...

Re: Ldapsearch / ActiveDriectory app issue

ofgem_bird — Tue, 25 Jun 2013 14:26:32 GMT

mibrahim, have you checked out the SA-ldapsearch.log file (located in %Splunk%\var\log\splunk)?

Also check out these pages as they may help. they helped me iron a few bugs before I got stuck at the above...

http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

http://docs.splunk.com/Documentation/ActiveDirectory/1.2/DeployAD/TroubleshoottheSplunkAppforActiveDirectory

topic Ldapsearch / ActiveDriectory app issue in All Apps and Add-ons

Ldapsearch / ActiveDriectory app issue

Re: Ldapsearch / ActiveDriectory app issue

Re: Ldapsearch / ActiveDriectory app issue