All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Ldapsearch / ActiveDriectory app issue

ofgem_bird
Engager
‎06-18-2013 02:26 AM

I am having an issue with the ldapsearch functionality under the Active directory app in Splunk.

I have been trying to get it to enumerate groups correctly. In certain circumstances I can get it to display all groups under Security > Reports > Security Groups - all.

This appears to return the correct values, however it appears to be struggling to enumerate group membership, if I run the report for Security > Reports > Security Groups - Empty it merely returns the same group listing regardless of whether the group is empty or not. (This only works if I use a single domain in the ldap.conf (with the 3 required stanzas as well as the default stanza)

I have a domain forest and a child domain. So presumably the ldap.conf should look something like this. (where forest is x.y.z and child domain is w.x.y.z) 

[x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=x,DC=y,DC=z
password=password

[X]
alias=x.y.z

[DC=x,DC=y,DC=z]
alias=x.y.z

[w.x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=w,DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=w,DC=x,DC=y,DC=z
password=password

[W]
alias=w.x.y.z

[DC=W,DC=X,DC=Y.DC=Z]
alias=w.x.y.z

[default]
server=servername1
port=389
ssl=false

However, when running in this configuration I see the following errors in the sa-ldapsearch.log file.

[com.splunk.program.LDAPSearch:main#-1] ERROR Exception com.unboundid.ldap.sdk.LDAPSearchException thrown: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
    ref 1: 'w.x.y.z'

Followed by a series of ERROR stack traces:

[com.splunk.program.LDAPSearch:main#-1] ERROR Stack Trace com.unboundid.ldap.sdk.LDAPConnection.search (3112)

If I revert to having just w.x.y.z and [default] removing [x.y.z] then some functionality is restored but I get the following errors logged in the log file.

[com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry dc=x,dc=y,dc=z in ldap.conf

AND

[com.splunk.program.LDAPGroups:Execute#-1] WARNING Context for CN=Group,CN=Directory Element,DC=w,DC=x,DC=y,DC=z was not found - dumping and skipping

Any help in untangling this would be most useful, running on Windows, Java 1.7, Splunk 5.0.2, AD App v1.1.4, ldapsearch v1.1.9.

Reply

ofgem_bird
Engager
‎06-25-2013 07:26 AM

mibrahim, have you checked out the SA-ldapsearch.log file (located in %Splunk%\var\log\splunk)?

Also check out these pages as they may help. they helped me iron a few bugs before I got stuck at the above...

http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/

http://docs.splunk.com/Documentation/ActiveDirectory/1.2/DeployAD/TroubleshoottheSplunkAppforActiveD...

0 Karma
Reply

mibrahim_splunk
Splunk Employee
Splunk Employee
‎06-18-2013 06:37 PM

im having the same issue as this as well. Seeing the same error messages in my internal index

When i test the |ldapsearch command i get no results returned but i dont get an error to indicate ldapsearch is not working...

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...