All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "

MartinMcNutt
Communicator
‎02-20-2015 09:40 AM 
[ServerName] External search command 'ldapfilter' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "

i am running sa-ldapsearch 2.01 on windows using splunk 6.2.1 and I have it all my domains configured and tested yet I continue to get this message.

The error is coming from one of my indexers and I am not sure where to go to fix this. The defaul stanza is located at the top of ldap.conf and it successfully tested. The documentation says the app only needs to be installed on the search head so why am I getting this error?

Other tidbit of information: I removed the existing sa-ldapsearch and downloaded a brand new 2.01 and configured from a clean install.

Tags (1)
Reply

pavankumarh
Path Finder
‎06-14-2022 05:23 AM

This seems to be a known issue and solution is available in the documentation link below. Creating the local\commands.conf worked for us. 

https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.4/User/Workaroundfordefaultconfigstanzaerror...

Tags (2)
0 Karma
Reply

MartinMcNutt
Communicator
‎03-13-2015 06:33 AM

I have been complaining to my sales rep about the lack of response for this ticket. After my compliant, I did receive one tidbit of information regarding SA-ldapsearch slow search performance.

They mentioned that this version of SA-ldapsearch does not inherit the username / password from the default stanza. While is seems to pre-fill the username and password in the GUI apparently it doesn't make it in the config file.

I manually typed in the username / password on all stanzas and that helped with performance.

So if this is known by support...WHY wasn't this added to known issues that you must type in username/password.

ldap.conf is missing
I talked to someone yesterday and mentioned that main reason for the ticket being open was still not looked into.

Reply

MartinMcNutt
Communicator
‎02-20-2015 02:40 PM

I found a workaround for my issue and I will have to open a ticket to see why it is occurring.

I have this field called targetid which contains the mailNickname that I was to pass to Ldapfilter. When I simply use $targetid$ in (mailNickname=$targetid$) sa-ldapsearch will spaz out with that message.

The work around was | eval ID=targetid | ...........(mailNickname=$ID$)

I might have some have some issues with the character set when the file was brought into the indexer.

0 Karma
Reply

rharrisssi
Path Finder
‎03-12-2015 06:02 PM

Have you heard anything yet from Splunk support?

0 Karma
Reply

mikaelbje
Motivator
‎03-04-2015 12:43 AM

Hi Martin!

I read in another thread that you have a support case with Splunk about the ldap.conf error you are seeing. Have they found the cause of the problem?

0 Karma
Reply

MartinMcNutt
Communicator
‎03-04-2015 02:19 PM

Afraid I don't have any fix yet or even an update on the ticket.

I opened up the ticket on Feb 20 and a support person replied on 2/23. I got him the files he requested and never heard from him since.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...