All Apps and Add-ons

Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory.

3DGjos
Communicator

I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configuring the connection and when doing any ldapsearch search:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden -- insufficient permission to access this resource" ".

I'm using a local admin account with all the capabilities needed to perform the configuration: admin_all_objects, list_storage_passwords, and edit_tcp.

P.S. The add-on works with another search head. My Splunk version is 7.3.1 and my add-on version is 2.1.4.

Any help will be appreciated, thanks!

0 Karma

sayantabasak
Explorer

Try with the below additional capabilities and it should work

list_settings

rest_properties_get

 

We got this working without admin_all_objects so you might drop that as well

Tags (1)
0 Karma

JeffGolden
Engager

Giving admin_all_objects is not an advisable solution. This gives people way more permission than they need to get LDAP search working and I agree with @sayantabasak

This is what that capability gives people access to do and should only be limited to administrators:

admin_all_objectsLets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does.

 

I was able to give my Analysts access to run LDAP queries by adding the following capabilities to their analyst user role:

list_settings

list_storage_passwords

Here is the access list_settings and list_storage_passwords provide. During troubleshooting, I discovered both are required and allows the users to perform gets for the password (to authenticate to AD), but it does not allow them to POST (or write to) the password as the admin_all_objects does and is not required:

list_settingsLets the user list and view server and introspection settings such as the server name, log levels, etc.
list_storage_passwordsLets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint.

 

To view more on roles @3DGjos, please see the following page on Splunk Docs:

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/Rolesandcapabilities

 

Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!