Hi @hardikJsheth,

There is already ldap.conf is the local dir of both S.H and Indexer. I had manually created ldap.conf on Indexer with same config as S.H, upon reading one of the posts on similar topic here.

Additional info : there is no passwords.conf and app.conf in the local folder of Indexer. S.H has all 3 files.

Since you have updated commands.conf file on your search head cluster to run query locally you don't need to configure app on your indexer.

In the configuration page it provides option to test your configuration. Did you try it out? Can you try this and if it fails look for the error in your splunkd.log file.

Hi Hardik,

I didnt go for the 2nd option which is about editing the commands.conf just to avoid any impact on search performance. W.r.t architecture, I have just 1 Search head and 1 Indexer.

I have tried configuring through GUI and also got connection tested successfully. However, the issue with that page is, it shows connection untested when you either refresh or go back to that page. And whenever, I used to check the ldap.conf file, the ssl used to somehow get enabled, which I wanted to be disabled. Hence, I just do it manually.

The command is not working because you haven't configured ladp/AD account on indexer.

If you want to choose option 1 please configure ldap/AD credentials on indexer nodes. After the configuration you will have passwords.conf/ldap.conf on indexer.

Hi @Hardik,

Would copying the passwords.conf and app.conf of the Search head to the Indexer would work OR should I configure via the GUI on the indexer ?

You should configure it via GUI if you have Indexer's GUI available.

The passwords in passwords.conf are encrypted and for Splunk > =6.3, it ensures that same encryption keys are used between Search Nodes / indexer nodes which are in cluster. However I am not sure if Splunk manages the encryption keys between search head and indexers.

I did it via GUI too, but still it gives that error.

Currently, both Search Head and the Indexer have the exact copy of app.conf, passwords.conf, ldap.conf

This is what I found within the client.py at line 1653,

  try:
                response = self.get(key)
                return ConfigurationFile(self.service, PATH_CONF % key, state={'title': key})
            except HTTPError as he:
                if he.status == 404: # No entity matching key
                    raise KeyError(key) //**line 1653**
                else:
                    raise

How can I resolve this ?

I also noticed this folder (mentioned in the error message)
C:\Program Files\Splunk\var\run\searchpeers\SEARCH-HEAD-1511928556\apps\SA-ldapsearch has only bin folder. Should I create a local folder and place the ldap.conf and password.conf files here ?

Try it out. Copy past ladp.conf and password.conf to local folder.

I had tried that but Splunk keeps updating/deleting these folders. The folder in which I had made those changes isn't there anymore.

Currently, its giving me the same error from C:\Program Files\Splunk\var\run\searchpeers\SEARCH-HEAD-1512451985\apps\SA-ldapsearch\bin\packages\splunklib\client.py

You can add following entries on your search head in distsearch.conf file under $SPLUNK_HOME/etc/system/local folder.

[replicationSettings:refineConf]
replicate.ldap               = true

This entry ensures that the ldap.conf is replicated to searchpeers folder.

Hi Hardik,

The info on the distsearch.conf for the [replicationSettings:refineConf]
setting says that

These settings on their own do not cause files to be replicated. A file
must still be whitelisted (via
replicationWhitelist) to be eligible
for inclusion via these settings

So I am guessing I will have to add a file to the whitelist as well. is that right ? if yes, then please advise how I can do it via replicationWhitelist.

I have these settings

[replicationSettings:refineConf]
replicate.ldap               = true

[replicationWhitelist]
allConf = *.conf

You can also refer this splunk answers for ldapsearch error
https://answers.splunk.com/answers/312136/after-upgrading-to-splunk-63-why-is-the-splunk-sup.html

Please ignore my previous comment regarding S.H not starting. Its resolved now.

At this stage, since ldap is already configured on Indexer, would the above settings override Indexer's current ldap settings ? or
should I delete the current configuration on Indexer and wait for Search head's ldap config to get replicated to the Indexer ?

I had already referred that link you shared, but it has to many varying answers with no concrete points. for e.g, the 1st answer deals with version prior to 2.1.2 but I am already running the latest version 2.1.4 still the issue persists.

Most of those talk about manually installing the ldap app on Indexer and pushing the config from the S.H via deployer. However with my architecture (1 S.H and 1 Indexer) how can I push the config to the Indexer so that it uses the same password hashes ? OR would your above provided settings achieve that task ?

No it won't impact the configurations under $SPLUNK_HOME/etc/apps. This changes impacts what gets into $SPLUNK_HOME/var/run/searchpeers folder.

Hi Hardik,

I have got only one Search Head and one Indexer. Would the above settings have any negative impact on the S.H considering these [shclustering] settings are applicable for a search head cluster ?

I am sorry, the settings for shcluster are not needed. You need to add distsearch.conf as mentioned in the comments.