All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Support for Active Directory: "ERROR The default configuration stanza for ldap.conf is missing." using ldapfetch in a distributed search environment

bleinfelder
Path Finder
‎10-14-2015 03:22 AM

Hi there,

I installed SA-ldapsearch as decsribed in the docs on the search head in my distributed environment. When I run a simple ldapsearch, everything works just fine.

Now I want to query stuff from my indexers and feed the results into ldapfetch (idea: find windows groups in a log and use ldapfetch to find the members of that group).

Search head and indexers run on different machines.

I get the following errors from my indexers:

[map]: [PRDS0052] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "
[map]: [PRDS0053] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "

How can I prevent the ldap command from run on the indexers? For the lookup command, there is a "local" attribute. I cannot find sth like that in ldapfetch.

Any idea?

Best,

Bernd

Reply

sarmstrong_splu
Splunk Employee
Splunk Employee
‎11-30-2015 07:40 AM

Assuming that (1) you're on Splunk 6.3 and (2) the SH has got access to ActiveDirectory this problem is easily solved by a one line change to each of the files: sa-ldapsearch/bin/
{ldapfilter.py,ldapgroup.py,ldapsearch.py,ldapfetch.py, ldaptestconnection.py}

Here’s the change to make in each file:
Change this:

@Configuration()

to:

@Configuration(local=True)

[If you already have something within the ()'s, just add the local=True to what's already there.]

If you’re running on Splunk 6.2 or lower, you should add this line to each stanza in sa-ldapsearch/default/command.conf:
local = true

Save the files and restart the Splunk instance on the Search Head(s). Retest to verify the workaround worked.

Reply

Michael
Contributor
‎10-25-2017 07:55 AM

Thank you!

But, not knowing Python, I burnt some cycles on the adding of "local=True" to things already there. To help my next comrade from not falling for this, but sure to use a comma to separate multiple entries in the Configuration parameters. I.E.:

ldapsearch.py:@Configuration(retainsevents=True, local=True)
ldaptestconnection.py:@Configuration(retainsevents=True, local=True)
ldapfetch.py:@Configuration(local=True)
ldapfilter.py:@Configuration(local=True)
ldapgroup.py:@Configuration(local=True)

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...
Top