All Apps and Add-ons

Splunk Supporting Add-on for Active Directory Multiple LDAP Configurations


I am having a problem using the ldapfilter and ldapgroup commands from the SA-ldapsearch app to work with multiple domains. I started by putting in junk information for the default configuration and setting up a configuration for DOMAINA.

When I test connection to DOMAINA, connection succeeds. In fact, the ldapsearch command works perfectly fine. However, when I run this search:
dest_nt_domain="DOMAINA" eventtype=msad-successful-user-logons
| stats max(_time) by dest_nt_domain,user
|ldapfilter domain="DOMAINA" search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName" logging_level="DEBUG" debug=true

I get this error:

External search command 'ldapfilter' returned error code 1. Script output = "error_message=AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".

Here are the entries from SA-ldapsearch.log:

2019-04-30 10:40:44,003, Level=DEBUG, Pid=7092,, Line=47, Command = ldapfilter attrs="cn,userPrincipalName" debug="t" domain="DOMAINA" logging_level="DEBUG" search="(&(objectClass=user)(sAMAccountName=$user$))"
2019-04-30 10:40:44,035, Level=DEBUG, Pid=7092,, Line=505, Storage password "SA-ldapsearch:default:" not found
2019-04-30 10:40:44,038, Level=DEBUG, Pid=7092,, Line=534, Configuration = ldapfilter(server=ldap:// - cleartext, credentials=splunkadmin@junk.default, alternatedomain=JUNK.DEFAULT, basedn=dc=junk,dc=default, decode=True, paged_size=1000)
2019-04-30 10:41:05,042, Level=ERROR, Pid=7092,, Line=969, AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace'
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 593, in _process_protocol_v1
    self._execute(ifile, None)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 54, in _execute
    SearchCommand._execute(self, ifile,
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 837, in _execute
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 519, in write_records
    for record in records:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\", line 128, in stream
    self.error_exit(error, app.get_ldap_error_message(error, configuration))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\", line 325, in get_ldap_error_message
    error.message = error.message.replace('\0', '')

From what I can tell. It looks like when I use ldapfilter for DOMAINA, it ignores the corresponding configuration and instead uses the default configuration. I confirmed that by configuring the default domain to match DOMAINA and running ldapfilter on DOMAINA, and ldapfilter works for DOMAINA.

I think it's a problem with the Python files, but I don't know what changes to make.

I have the same problem when running ldapgroup.

Any help would be greatly appreciated.


I just figured this issue out. Apparently, even though the 'default' domain should never be used, if you don't have a valid configuration in that value, ldapfilter and ldapgroup will fail, though everything else will work correctly.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.