All Apps and Add-ons

SA-ldapsearch.log is missing - AD domain not found

barisca009
New Member

Hi all,
In my test environment,
1 Domain controller windows server 2012 r2 , ip 172.16.1.10 , fqdn=spdc.nwtraders.msft
1 member server(windows server 2008 r2, .net 45 is installed , powershell 3 is installed) which splunk(splunk-6.1.3-220630-x64-release.msi) runs on it.

I have installed universal forwarder(splunkforwarder-6.1.3-220630-x64-release) on domain controller and have copied SA-ModularInput-PowerShell, Splunk_TA_windows, TA-DNSServer-NT6, TA-DomainController-2012R2 in C:\Program Files\SplunkUniversalForwarder\etc\apps folder.

powershell app,microsoft windows app,sa-ldapsearch app,windows infrastruce apps are installed on splunk instance which is run on member server.

Splunk has a receiver and listens on tcp 12345 which UF uses to forward data as well

When I try to detect; domain,domain controller,users,computers are not found

The configuration of ldap.conf(Program Files\Splunk\etc\apps\SA-ldapsearch\local) file is shown as below.

[nwtraders.msft]
server = spdc.nwtraders.msft
port = 389
ssl = false
basedn = DC=nwtraders,DC=msft
binddn = cn=Administrator,cn=Users,DC=nwtraders,DC=msft
password = Password1
alternatedomain = NWTRADERS

[default]
server = 172.16.1.10

SA-ldapsearch.log file is also missing! So I could not troubleshoot the issue.
Any help would be nice
Regards

Tags (3)
0 Karma

gpareesi11
Path Finder

Hi, can you try to modify your ldap.conf has follow:

[default]
server = spdc.nwtraders.msft
port = 389
ssl = false
basedn = DC=nwtraders,DC=msft
binddn = cn=Administrator,cn=Users,DC=nwtraders,DC=msft
password = Password1
alternatedomain = NWTRADERS

The SA-ldapsearch.log should be in $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log

Thank you

0 Karma

tjjones0362
Explorer

I'm having the same problem. Ever find a solution?

0 Karma

barisca009
New Member

At least, has anyone got and idea about why sa-ldapsearch.log is missing ?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...