I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configuring the connection and when doing any ldapsearch search:
External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden -- insufficient permission to access this resource" ".
I'm using a local admin account with all the capabilities needed to perform the configuration: admin_all_objects, list_storage_passwords, and edit_tcp.
P.S. The add-on works with another search head. My Splunk version is 7.3.1 and my add-on version is 2.1.4.
Giving admin_all_objects is not an advisable solution. This gives people way more permission than they need to get LDAP search working and I agree with @sayantabasak .
This is what that capability gives people access to do and should only be limited to administrators:
Lets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does.
I was able to give my Analysts access to run LDAP queries by adding the following capabilities to their analyst user role:
Here is the access list_settings and list_storage_passwords provide. During troubleshooting, I discovered both are required and allows the users to perform gets for the password (to authenticate to AD), but it does not allow them to POST (or write to) the password as the admin_all_objects does and is not required:
Lets the user list and view server and introspection settings such as the server name, log levels, etc.
Lets the user list and view the/storage/passwordsendpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the/storage/passwordsendpoint.
To view more on roles @3DGjos, please see the following page on Splunk Docs: