All Apps and Add-ons

After upgrading to Splunk 6.3, why is the Splunk Support for Active Directory connection test failing with "the default configuration stanza for ldap.conf is missing."?

Path Finder

Hi All

I had Splunk Support for Active Directory (SA-ldapsearch) configured and working in 6.2. I upgraded to 6.3 and it no longer functioned. I kept getting an error in the connection test saying "the default configuration stanza for ldap.conf is missing."

This was version 2.1. I have upgraded to the latest 2.1.1 and it still has not helped.

I have also completely removed SA-ldapsearch, restarted, reinstalled and re-keyed the configuration. We are still seeing the error above.

Has anyone else experienced this issue? How have you resolved it?

Thanks
Darren

New Member

Just one note, I come through all the suggested solution and it did not work, but after I read the troubleshooting section for the Add-one, I noticed that you must write the domain name In uppercase.

0 Karma

Communicator

I have jumped through those hoops on our system - the local=true fix only works for the SA-ldapsearch app v2.1.2 and higher.

0 Karma

Communicator

getting the error on a 2.1.3 stand-alone SH! And the ldapsearch command is configured as local.

0 Karma

Splunk Employee
Splunk Employee

Communicator

Seriously?

The "fix" is to manually install this on all my indexers and then manually configure it?
I assume I can't use the master node to push this out because of the way the app handles passwords.

The doc still says...

Where to install it
   The Splunk Supporting Add-on for Active Directory can be installed on a search head or a heavy forwarder.
   It does not perform any function when you install it on an indexer or universal forwarder.
   This method of installation is valid for both single-instance and distributed environments. 

Motivator

Yep, pretty annoying, but theoretically you could deploy it via DS or the Cluster Master as long as the splunk.secret file is the same on all servers since the password hash would then be the same. Note that you'll have to re-insert every old hashed password in cleartext on your servers if you change the splunk.secret file.

You could perhaps also make it work as long as the SA-ldapsearch you deploy has the password in cleartext which leaves it up to each individual server to hash it upon installation.

0 Karma

Communicator

I had the same issue - I configured the App on the Search Head and then replaced the password in the password.conf to be the cleartext password and put it onto the Cluster Master to distrbute out to the Indexers. Strangely, the App is shown as deployed, but not configured on the Indexers (but is in the slave-apps folder).

Hope that this helps and confirms to others the process for a similar situation.

0 Karma

Explorer

I'm still getting errors in 2.1.2: [indexer] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "ParseError at ""C:\Program Files\Splunk\Python-2.7\Lib\xml\etree\ElementTree.py"", line 1506 : not well-formed (invalid token): line 33, column 38"

I deployed the configured app to my indexer

Splunk Employee
Splunk Employee

This worked for me also.

0 Karma

Motivator

I believe you need to manually install and configure it on the indexers because of the password hashes in the config files.

0 Karma

Explorer

Ah, ok. Did that and now it looks like the ldaptest works. Thanks!

0 Karma

Communicator

Any update on this yet? Still doing customer ES engagements and having this problem... 😕

0 Karma

Path Finder

So i did some more debugging on this one, and eventhough the connection test failed in the setup screen, once i pushed the app to the indexers as well i was able to do an ldap search to generate my assets list, i did still get an error message moaning, but it did work.

It's good to see that this has been captured though and will be resolved in the upcoming 2.1.2 release of SA-ldapsearch.

Thanks
Darren

0 Karma

Splunk Employee
Splunk Employee

The workaround listed in TAG-9200 is to :
1. Install the SA-ldapsearch app on the search head and configure it by setting up and testing the connection through the configuration view (even when it throws the error "the default configuration stanza for ldap.conf is missing" it still configures ldap.conf with a default stanza.)
2. Deploy the configured app to the search peers (indexers).

the fix is listed as coming in version 2.1.2

Motivator

This workeds, however it runs the search on every indexer, so it adds some extra load on the domain controllers AND you need to dedup the results to get the right results.

Engager

Thanks team, worked for us too!

0 Karma

SplunkTrust
SplunkTrust

We had this problem in a fresh ES install this past week. We duplicated settings from a working 6.2.x install but they did not work in the newer environment.

In our case, we found that we needed to deploy the SA-ldapsearch app and config to both the search head and indexers and all worked after that. There was a conflict in Splunk and the app over LDAP default stanzas so by pushing that config to the indexers as well it fixed the confusion.

Splunk Employee
Splunk Employee

Ran in to this as well. Did all the same troubleshooting and still have nothing. Any body else?

0 Karma

Splunk Employee
Splunk Employee

I'm able to reproduce the same behavior. Reported to splunk DEV as a bug in: TAG-9950

Open a support case and request to be added to the bug.

0 Karma