All Apps and Add-ons

Eror running LDAPSerach

willadams
Contributor

I have configured the application as per the guidelines. I used the default configuration that comes with the app as it doesn't seem to matter if I create a new one or not.

Alternate domain name ==> MYDOMAIN
Base DN ==> DC=mydomain,DC=com,DC=au
Hostname ==> dc1.mydomain.com.au
Port ==> 389

Bind DN ==> CN=testaccout,OU=Accounts,OU=Users,DC=mydomain,DC=com,DC=au
Password ==> password

Testing the connection it works fine. Saving the button (which the UI doesn't refresh) writes my configuration into the relevant files on my SPLUNK Enterprise instance.

Performing the following search, I get the following errors which looks to just be column headings if I am not mistaken:

External search command 'ldapsearch' returned error code 1. First 1000 (of 655748350) bytes of script output: " serial,mvserial,_time,mvtime,_raw,mvraw,host,mv_host,dn,mv_dn,msExchSmtpReceiveMaxLogonFailures,_mv_msExchSmtpReceiveMaxLogonFailures,msDS-Transformation

The SA-ldapsearch.log file shows the following:

2019-07-16 15:51:40,473, Level=ERROR, Pid=6304, File=search_command.py, Line=969, IOError at "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\internals.py", line 698 : [Errno 22] Invalid argument
Traceback:
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 593, in _process_protocol_v1
self._execute(ifile, None)
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\generating_command.py", line 197, in _execute
self.finish()
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 382, in finish
self._record_writer.flush(finished=True)
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\internals.py", line 698, in flush
write(self._buffer.getvalue())

I checked the job inspector on SPLUNK and it indicates the following:

This search has completed in 465.118 seconds, but did not match any events. The terms specified in the highlighted portion of the search:

ldapsearch domain=default search="(objectClass=group)" | ifields + cn, distinguishedName | ldapgroup | table cn, member_dn, member_type
over the time range:

15/07/2019 15:00:00.000 - 16/07/2019 15:45:00.000
did not return any data. Possible solutions are to:

*relax the primary search criteria
*widen the time range of the search
*check that the default search indexes for your account include the desired indexes
*Learn more about troubleshooting empty search results at Splunk Documentation

The following messages were returned by the search subsystem:

info : No matching fields exist.
error : External search command 'ldapsearch' returned error code 1. First 1000 (of 655748350) bytes of script output: " serial,mvserial,_time,mvtime,_raw,mvraw,host,mv_host,dn,mv_dn,msExchSmtpReceiveMaxLogonFailures,mv_msExchSmtpReceiveMaxLogonFailures,msDS-TransformationRulesCompiled,_mv_msDS-TransformationRulesCompiled,msExchESEParamLogWaitingUserMa

I am testing this on a test box (Windows) to validate the app before I move this onto our Development environment so I don't have to monitor CSV files that are generated by Powershell scripts.

I am not sure where this is going wrong. Any assistance would be appreciated.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...