All Apps and Add-ons
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Contributor

Thanks, I did get it working again in 6.6 still using this workaround but I had to give the users a capability that they previously did not have--"list_settings". Before I gave them that they were getting the error "External search command 'ldapsearch' returned error code 1. Script output = " ERROR "HTTPError at ""/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py"", line 1111 : HTTP 403 Forbidden – insufficient permission to access this resource" ". Glad it is working though.

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Explorer

@worshamn thank you for the tip

had to give the users a capability that they previously did not have--"list_settings"
I had the issue in 6.6.4

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Communicator

We were able to get this working without changing anything in ldap.conf. We just had to add the list_settings capability. We are running Splunk 6.0.2 on linux with app version 2.1.4. Thanks for the workaround suggestion, it got us going in the right direction.

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Explorer

Just adding 'list_settings" to users did not fix it for us unfortunately.
We are on Splunk 6.6.5 on windows, with app v.2.1.6.
Back to the drawing board for something that should have been there in the first place.

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

Same problem with 2.1.4 but I get another Error:

External search command 'ldaptestconnection' returned error code 1. First 1000 (of 2868) bytes of script output: " ERROR " # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1 # host: X.X.X.X: Could not access the directory service at ldaps://X.X.X.X:636: 000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Contributor

for me it worked after i gave the user liststoragepasswords capability. use it with caution!

Regards,

Andreas

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Splunk Employee
Splunk Employee

https://docs.splunk.com/Documentation/SA-LdapSearch/2.2.0/User/UseSA-ldapsearchtotroubleshootproblem...

Authentication fails despite a successful connectivity test after configuration

If you encounter a problem where queries with SA-LDAPsearch fail despite successfully testing a connection that you set up on the configuration page, make sure that the user that you log into Splunk Enterprise as has the adminallobjects capability. This capability must be present because the configuration page saves passwords as storage passwords, and only this capability allows users to read storage passwords.

If you cannot grant the adminallobjects capability, as a workaround, you can use a clear-text password and obfuscate that password with base-64 encoding. In this case, however, you can not use the configuration page to save the password nor can you test the connection. This is because the configuration page moves any clear-text passwords to storage passwords when you save the configuration.

You must edit ldap.conf with a text editor and save the password(s) that way, and then use the ldaptestconnection command to test the configuration.

Otherwise, like others have suggested, you can create a Scheduled Saved Search or lookup that makes data available to users to search/query off of.

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Engager

I was able to get this working by adding both the listsettings and liststoragepasswords capabilities to the role.,I was able to get this working by adding the listsettings and liststoragepasswords capabilities to the role.

Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

Path Finder

This works for me. I am using the LDAP authentication on SH cluster, so adding a user role is complicated.

0 Karma
Highlighted

Re: Splunk Support for Active Directory: Why are non-admin users getting ldapsearch error "You do not have permission to perform this operation (requires capability: admin_all_objects)."?

SplunkTrust
SplunkTrust

Ah, now after posting my answer I found this one.. seems like I missed it. I'll convert my answer to a comment.

It's enough to enable list_storage_passwords as the other capability can be improted from the user role.

Skalli