Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Ldapsearch / ActiveDriectory app issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ldapsearch / ActiveDriectory app issue
I am having an issue with the ldapsearch functionality under the Active directory app in Splunk.
I have been trying to get it to enumerate groups correctly. In certain circumstances I can get it to display all groups under Security > Reports > Security Groups - all.
This appears to return the correct values, however it appears to be struggling to enumerate group membership, if I run the report for Security > Reports > Security Groups - Empty it merely returns the same group listing regardless of whether the group is empty or not. (This only works if I use a single domain in the ldap.conf (with the 3 required stanzas as well as the default stanza)
I have a domain forest and a child domain. So presumably the ldap.conf should look something like this. (where forest is x.y.z and child domain is w.x.y.z)
[x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=x,DC=y,DC=z
password=password
[X]
alias=x.y.z
[DC=x,DC=y,DC=z]
alias=x.y.z
[w.x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=w,DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=w,DC=x,DC=y,DC=z
password=password
[W]
alias=w.x.y.z
[DC=W,DC=X,DC=Y.DC=Z]
alias=w.x.y.z
[default]
server=servername1
port=389
ssl=false
However, when running in this configuration I see the following errors in the sa-ldapsearch.log file.
[com.splunk.program.LDAPSearch:main#-1] ERROR Exception com.unboundid.ldap.sdk.LDAPSearchException thrown: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'w.x.y.z'
Followed by a series of ERROR stack traces:
[com.splunk.program.LDAPSearch:main#-1] ERROR Stack Trace com.unboundid.ldap.sdk.LDAPConnection.search (3112)
If I revert to having just w.x.y.z and [default] removing [x.y.z] then some functionality is restored but I get the following errors logged in the log file.
[com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry dc=x,dc=y,dc=z in ldap.conf
AND
[com.splunk.program.LDAPGroups:Execute#-1] WARNING Context for CN=Group,CN=Directory Element,DC=w,DC=x,DC=y,DC=z was not found - dumping and skipping
Any help in untangling this would be most useful, running on Windows, Java 1.7, Splunk 5.0.2, AD App v1.1.4, ldapsearch v1.1.9.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mibrahim, have you checked out the SA-ldapsearch.log file (located in %Splunk%\var\log\splunk)?
Also check out these pages as they may help. they helped me iron a few bugs before I got stuck at the above...
http://blogs.splunk.com/2012/10/21/splunk-app-for-active-directory-and-the-top-10-issues/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
im having the same issue as this as well. Seeing the same error messages in my internal index
When i test the |ldapsearch command i get no results returned but i dont get an error to indicate ldapsearch is not working...
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
