I'm trying to configure version 2.1.1 of the app Splunk Support for Active Directory and I get this error when trying to use it or test the connection. I am using Splunk version 6.3, and I have tried uninstalling and reinstalling the application.
ldap.conf [default] alternatedomain = EXAMPLE basedn = DC=corp,DC=example,DC=com binddn = splunk port = 636 server = corp.example.com ssl = 1
If you are not running in a search head cluster you will need to edit the default/commands.conf settings as per the documentation:
With a text editor, open the file $SPLUNK_HOME\etc\apps\SA-ldapsearch\default\commands.conf for editing.
In each stanza within this file, change the following entry:
local = false
local = true
3. Save the file and close it.
I made the change you suggested and after restarting splunk it passed the configuration pre-requisite for that stage of the setup. No idea what is configured there now or how to change it. The setup is failing at the next stage of checking data. No events are being returned at all.
How do i make sure the connection to the domain is configured? I can see an option to disable the app, can i delete it? Will re-enabling it let me reconfigure it?
You can uninstall by simply removing the directory SA-ldapsearch from the apps directory and restarting Splunk.
If you re-install you will still need to make the edits described above after you configure your connection. There is a log file that may contain more details at: $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. You may also increase the logging level for the app in the file: logging.conf to DEBUG, then restart Splunk. This should show you more details in the log about what is wrong.
Note: you do NOT deploy this app to indexers as mentioned below. This app stays on the search head.
Thanks a lot, that got rid of the error and i could successfully connect to the domain. I've never been able to get any data right from the outset when setting up the Infrastructure for windows app. There is a test data part at the end of each section but it doesn't look like my client is sending any. Is there a log i can check on my client to see if its trying to send the data? I've checked splunkd on the indexers and forwarder but cant see anything to suggest a problem.
Is it required to distribute the app to the indexer? I am trying to test the Linux-auditd app and am trying to configure the ldap-search to populate the lookup files. I am receiving the error above. (The app is currently installed on the deployer and the SH).