topic Re: Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory. in All Apps and Add-ons

Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory.

3DGjos — Mon, 18 May 2020 23:09:13 GMT

I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configuring the connection and when doing any ldapsearch search:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden -- insufficient permission to access this resource" ".

I'm using a local admin account with all the capabilities needed to perform the configuration: admin_all_objects, list_storage_passwords, and edit_tcp.

P.S. The add-on works with another search head. My Splunk version is 7.3.1 and my add-on version is 2.1.4.

Any help will be appreciated, thanks!

Re: Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory.

sayantabasak — Wed, 16 Dec 2020 14:49:19 GMT

Try with the below additional capabilities and it should work

list_settings

rest_properties_get

We got this working without admin_all_objects so you might drop that as well

Re: Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory.

JeffGolden — Fri, 09 Apr 2021 19:00:11 GMT

Giving admin_all_objects is not an advisable solution. This gives people way more permission than they need to get LDAP search working and I agree with @sayantabasak .

This is what that capability gives people access to do and should only be limited to administrators:

admin_all_objects

Lets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does.

I was able to give my Analysts access to run LDAP queries by adding the following capabilities to their analyst user role:

list_settings

list_storage_passwords

Here is the access list_settings and list_storage_passwords provide. During troubleshooting, I discovered both are required and allows the users to perform gets for the password (to authenticate to AD), but it does not allow them to POST (or write to) the password as the admin_all_objects does and is not required:

list_settings

Lets the user list and view server and introspection settings such as the server name, log levels, etc.

list_storage_passwords

Lets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint.

To view more on roles @3DGjos, please see the following page on Splunk Docs:

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Rolesandcapabilities