All Apps and Add-ons

Splunk Support for Active Directory 2.11: KeyError at ".../apps/SA-ldapsearch/bin/packages/splunklib/client.py", line 1653 : u'ssl'"

cmcmacken
Engager

I'm trying to configure version 2.1.1 of the app Splunk Support for Active Directory and I get this error when trying to use it or test the connection. I am using Splunk version 6.3, and I have tried uninstalling and reinstalling the application.

ldap.conf

[default]
alternatedomain = EXAMPLE
basedn = DC=corp,DC=example,DC=com
binddn = splunk
port = 636
server = corp.example.com
ssl = 1

sjohnson_splunk
Splunk Employee
Splunk Employee

If you are not running in a search head cluster you will need to edit the default/commands.conf settings as per the documentation:

  1. With a text editor, open the file $SPLUNK_HOME\etc\apps\SA-ldapsearch\default\commands.conf for editing.

  2. In each stanza within this file, change the following entry:

local = false
to

local = true
3. Save the file and close it.

  1. Restart Splunk Enterprise on the instance.

naqviah1
New Member

What if i am receiving this error when running on the SHC. How can that be resolved?

0 Karma

uktechnologyser
Path Finder

I made the change you suggested and after restarting splunk it passed the configuration pre-requisite for that stage of the setup. No idea what is configured there now or how to change it. The setup is failing at the next stage of checking data. No events are being returned at all.

How do i make sure the connection to the domain is configured? I can see an option to disable the app, can i delete it? Will re-enabling it let me reconfigure it?

Cheers,

Jay

0 Karma

sjohnson_splunk
Splunk Employee
Splunk Employee

You can uninstall by simply removing the directory SA-ldapsearch from the apps directory and restarting Splunk.

If you re-install you will still need to make the edits described above after you configure your connection. There is a log file that may contain more details at: $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. You may also increase the logging level for the app in the file: logging.conf to DEBUG, then restart Splunk. This should show you more details in the log about what is wrong.

Note: you do NOT deploy this app to indexers as mentioned below. This app stays on the search head.

0 Karma

uktechnologyser
Path Finder

Thanks a lot, that got rid of the error and i could successfully connect to the domain. I've never been able to get any data right from the outset when setting up the Infrastructure for windows app. There is a test data part at the end of each section but it doesn't look like my client is sending any. Is there a log i can check on my client to see if its trying to send the data? I've checked splunkd on the indexers and forwarder but cant see anything to suggest a problem.

0 Karma

joshd
Builder

You will need to distribute the app to the indexers as noted here:

https://answers.splunk.com/answers/312136/sa-ldapsearch-connection-test-failing-he-default-c.html

0 Karma

naqviah1
New Member

Is it required to distribute the app to the indexer? I am trying to test the Linux-auditd app and am trying to configure the ldap-search to populate the lookup files. I am receiving the error above. (The app is currently installed on the deployer and the SH).

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...