Thanks, I did get it working again in 6.6 still using this workaround but I had to give the users a capability that they previously did not have--"list_settings". Before I gave them that they were getting the error "External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden – insufficient permission to access this resource" ". Glad it is working though.
@worshamn thank you for the tip
had to give the users a capability that they previously did not have--"list_settings"
I had the issue in 6.6.4
We were able to get this working without changing anything in ldap.conf. We just had to add the list_settings capability. We are running Splunk 6.0.2 on linux with app version 2.1.4. Thanks for the workaround suggestion, it got us going in the right direction.
Just adding 'list_settings" to users did not fix it for us unfortunately.
We are on Splunk 6.6.5 on windows, with app v.2.1.6.
Back to the drawing board for something that should have been there in the first place.
Same problem with 2.1.4 but I get another Error:
External search command 'ldaptestconnection' returned error code 1. First 1000 (of 2868) bytes of script output: " ERROR " # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1
for me it worked after i gave the user liststoragepasswords capability. use it with caution!
Authentication fails despite a successful connectivity test after configuration
If you encounter a problem where queries with SA-LDAPsearch fail despite successfully testing a connection that you set up on the configuration page, make sure that the user that you log into Splunk Enterprise as has the adminallobjects capability. This capability must be present because the configuration page saves passwords as storage passwords, and only this capability allows users to read storage passwords.
If you cannot grant the adminallobjects capability, as a workaround, you can use a clear-text password and obfuscate that password with base-64 encoding. In this case, however, you can not use the configuration page to save the password nor can you test the connection. This is because the configuration page moves any clear-text passwords to storage passwords when you save the configuration.
You must edit ldap.conf with a text editor and save the password(s) that way, and then use the ldaptestconnection command to test the configuration.
Otherwise, like others have suggested, you can create a Scheduled Saved Search or lookup that makes data available to users to search/query off of.
I was able to get this working by adding both the listsettings and liststoragepasswords capabilities to the role.,I was able to get this working by adding the listsettings and liststoragepasswords capabilities to the role.
This works for me. I am using the LDAP authentication on SH cluster, so adding a user role is complicated.
Ah, now after posting my answer I found this one.. seems like I missed it. I'll convert my answer to a comment.
It's enough to enable
list_storage_passwords as the other capability can be improted from the user role.