I had Splunk Support for Active Directory (SA-ldapsearch) configured and working in 6.2. I upgraded to 6.3 and it no longer functioned. I kept getting an error in the connection test saying "the default configuration stanza for ldap.conf is missing."
This was version 2.1. I have upgraded to the latest 2.1.1 and it still has not helped.
I have also completely removed SA-ldapsearch, restarted, reinstalled and re-keyed the configuration. We are still seeing the error above.
Has anyone else experienced this issue? How have you resolved it?
Just one note, I come through all the suggested solution and it did not work, but after I read the troubleshooting section for the Add-one, I noticed that you must write the domain name In uppercase.
The "fix" is to manually install this on all my indexers and then manually configure it?
I assume I can't use the master node to push this out because of the way the app handles passwords.
The doc still says...
Where to install it The Splunk Supporting Add-on for Active Directory can be installed on a search head or a heavy forwarder. It does not perform any function when you install it on an indexer or universal forwarder. This method of installation is valid for both single-instance and distributed environments.
Yep, pretty annoying, but theoretically you could deploy it via DS or the Cluster Master as long as the splunk.secret file is the same on all servers since the password hash would then be the same. Note that you'll have to re-insert every old hashed password in cleartext on your servers if you change the splunk.secret file.
You could perhaps also make it work as long as the SA-ldapsearch you deploy has the password in cleartext which leaves it up to each individual server to hash it upon installation.
I had the same issue - I configured the App on the Search Head and then replaced the password in the password.conf to be the cleartext password and put it onto the Cluster Master to distrbute out to the Indexers. Strangely, the App is shown as deployed, but not configured on the Indexers (but is in the slave-apps folder).
Hope that this helps and confirms to others the process for a similar situation.
I'm still getting errors in 2.1.2: [indexer] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "ParseError at ""C:\Program Files\Splunk\Python-2.7\Lib\xml\etree\ElementTree.py"", line 1506 : not well-formed (invalid token): line 33, column 38"
I deployed the configured app to my indexer
So i did some more debugging on this one, and eventhough the connection test failed in the setup screen, once i pushed the app to the indexers as well i was able to do an ldap search to generate my assets list, i did still get an error message moaning, but it did work.
It's good to see that this has been captured though and will be resolved in the upcoming 2.1.2 release of SA-ldapsearch.
The workaround listed in TAG-9200 is to :
1. Install the SA-ldapsearch app on the search head and configure it by setting up and testing the connection through the configuration view (even when it throws the error "the default configuration stanza for ldap.conf is missing" it still configures ldap.conf with a default stanza.)
2. Deploy the configured app to the search peers (indexers).
the fix is listed as coming in version 2.1.2
We had this problem in a fresh ES install this past week. We duplicated settings from a working 6.2.x install but they did not work in the newer environment.
In our case, we found that we needed to deploy the SA-ldapsearch app and config to both the search head and indexers and all worked after that. There was a conflict in Splunk and the app over LDAP default stanzas so by pushing that config to the indexers as well it fixed the confusion.