All Apps and Add-ons

Error when configuring ldapsearch with Splunk Supporting Add-on for Active Directory.


I'm working with some ldapsearch searches and I'm having the following problem with one of our search heads. I can't even configure the input, and the interface shows me this error when configuring the connection and when doing any ldapsearch search:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/"", line 1111 : HTTP 403 Forbidden -- insufficient permission to access this resource" ".

I'm using a local admin account with all the capabilities needed to perform the configuration: admin_all_objects, list_storage_passwords, and edit_tcp.

P.S. The add-on works with another search head. My Splunk version is 7.3.1 and my add-on version is 2.1.4.

Any help will be appreciated, thanks!

0 Karma


Try with the below additional capabilities and it should work




We got this working without admin_all_objects so you might drop that as well

Tags (1)
0 Karma


Giving admin_all_objects is not an advisable solution. This gives people way more permission than they need to get LDAP search working and I agree with @sayantabasak

This is what that capability gives people access to do and should only be limited to administrators:

admin_all_objectsLets the user access and modify any object in the system regardless of any restrictions set in the objects. For example user objects, search jobs, reports, and knowledge objects. Lets the user bypass any ACL restrictions, much the way root access in a *nix environment does.


I was able to give my Analysts access to run LDAP queries by adding the following capabilities to their analyst user role:



Here is the access list_settings and list_storage_passwords provide. During troubleshooting, I discovered both are required and allows the users to perform gets for the password (to authenticate to AD), but it does not allow them to POST (or write to) the password as the admin_all_objects does and is not required:

list_settingsLets the user list and view server and introspection settings such as the server name, log levels, etc.
list_storage_passwordsLets the user list and view the /storage/passwords endpoint, lets the user perform GETs. The admin_all_objects capability must be added to the role for the user to perform POSTs to the /storage/passwords endpoint.


To view more on roles @3DGjos, please see the following page on Splunk Docs:


Get Updates on the Splunk Community!

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...

New Customer Testimonials

Enterprises of all sizes and across different industries are accelerating cloud adoption by migrating ...