All Apps and Add-ons

After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?

darrend
Path Finder

Hi All

I had Splunk Support for Active Directory (SA-ldapsearch) configured and working in 6.2. I upgraded to 6.3 and it no longer functioned. I kept getting an error in the connection test saying "the default configuration stanza for ldap.conf is missing."

This was version 2.1. I have upgraded to the latest 2.1.1 and it still has not helped.

I have also completely removed SA-ldapsearch, restarted, reinstalled and re-keyed the configuration. We are still seeing the error above.

Has anyone else experienced this issue? How have you resolved it?

Thanks
Darren

fadid
New Member

Just one note, I come through all the suggested solution and it did not work, but after I read the troubleshooting section for the Add-one, I noticed that you must write the domain name In uppercase.

0 Karma

BlueSocket
Communicator

I have jumped through those hoops on our system - the local=true fix only works for the SA-ldapsearch app v2.1.2 and higher.

0 Karma

greich
Communicator

getting the error on a 2.1.3 stand-alone SH! And the ldapsearch command is configured as local.

0 Karma

sarmstrong_splu
Splunk Employee
Splunk Employee

dfronck
Communicator

Seriously?

The "fix" is to manually install this on all my indexers and then manually configure it?
I assume I can't use the master node to push this out because of the way the app handles passwords.

The doc still says...

Where to install it
   The Splunk Supporting Add-on for Active Directory can be installed on a search head or a heavy forwarder.
   It does not perform any function when you install it on an indexer or universal forwarder.
   This method of installation is valid for both single-instance and distributed environments. 

mikaelbje
Motivator

Yep, pretty annoying, but theoretically you could deploy it via DS or the Cluster Master as long as the splunk.secret file is the same on all servers since the password hash would then be the same. Note that you'll have to re-insert every old hashed password in cleartext on your servers if you change the splunk.secret file.

You could perhaps also make it work as long as the SA-ldapsearch you deploy has the password in cleartext which leaves it up to each individual server to hash it upon installation.

0 Karma

BlueSocket
Communicator

I had the same issue - I configured the App on the Search Head and then replaced the password in the password.conf to be the cleartext password and put it onto the Cluster Master to distrbute out to the Indexers. Strangely, the App is shown as deployed, but not configured on the Indexers (but is in the slave-apps folder).

Hope that this helps and confirms to others the process for a similar situation.

0 Karma

kskujawa
Explorer

I'm still getting errors in 2.1.2: [indexer] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "ParseError at ""C:\Program Files\Splunk\Python-2.7\Lib\xml\etree\ElementTree.py"", line 1506 : not well-formed (invalid token): line 33, column 38"

I deployed the configured app to my indexer

enicholson_splu
Splunk Employee
Splunk Employee

This worked for me also.

0 Karma

mikaelbje
Motivator

I believe you need to manually install and configure it on the indexers because of the password hashes in the config files.

0 Karma

kskujawa
Explorer

Ah, ok. Did that and now it looks like the ldaptest works. Thanks!

0 Karma

jonathan_cooper
Communicator

Any update on this yet? Still doing customer ES engagements and having this problem... 😕

0 Karma

darrend
Path Finder

So i did some more debugging on this one, and eventhough the connection test failed in the setup screen, once i pushed the app to the indexers as well i was able to do an ldap search to generate my assets list, i did still get an error message moaning, but it did work.

It's good to see that this has been captured though and will be resolved in the upcoming 2.1.2 release of SA-ldapsearch.

Thanks
Darren

0 Karma

rphillips_splk
Splunk Employee
Splunk Employee

The workaround listed in TAG-9200 is to :
1. Install the SA-ldapsearch app on the search head and configure it by setting up and testing the connection through the configuration view (even when it throws the error "the default configuration stanza for ldap.conf is missing" it still configures ldap.conf with a default stanza.)
2. Deploy the configured app to the search peers (indexers).

the fix is listed as coming in version 2.1.2

mikaelbje
Motivator

This workeds, however it runs the search on every indexer, so it adds some extra load on the domain controllers AND you need to dedup the results to get the right results.

hazclan13
Engager

Thanks team, worked for us too!

0 Karma

Richfez
SplunkTrust
SplunkTrust

We had this problem in a fresh ES install this past week. We duplicated settings from a working 6.2.x install but they did not work in the newer environment.

In our case, we found that we needed to deploy the SA-ldapsearch app and config to both the search head and indexers and all worked after that. There was a conflict in Splunk and the app over LDAP default stanzas so by pushing that config to the indexers as well it fixed the confusion.

mgonter_splunk
Splunk Employee
Splunk Employee

Ran in to this as well. Did all the same troubleshooting and still have nothing. Any body else?

0 Karma

Chubbybunny
Splunk Employee
Splunk Employee

I'm able to reproduce the same behavior. Reported to splunk DEV as a bug in: TAG-9950

Open a support case and request to be added to the bug.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...