All Apps and Add-ons

Splunk Supporting Add-on for Active Directory Multiple LDAP Configurations

jlucas4
Explorer

I am having a problem using the ldapfilter and ldapgroup commands from the SA-ldapsearch app to work with multiple domains. I started by putting in junk information for the default configuration and setting up a configuration for DOMAINA.

When I test connection to DOMAINA, connection succeeds. In fact, the ldapsearch command works perfectly fine. However, when I run this search:
dest_nt_domain="DOMAINA" eventtype=msad-successful-user-logons
| stats max(_time) by dest_nt_domain,user
|ldapfilter domain="DOMAINA" search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName" logging_level="DEBUG" debug=true

I get this error:

External search command 'ldapfilter' returned error code 1. Script output = "error_message=AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app_init_.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".

Here are the entries from SA-ldapsearch.log:

2019-04-30 10:40:44,003, Level=DEBUG, Pid=7092, File=configuration.py, Line=47, Command = ldapfilter attrs="cn,userPrincipalName" debug="t" domain="DOMAINA" logging_level="DEBUG" search="(&(objectClass=user)(sAMAccountName=$user$))"
2019-04-30 10:40:44,035, Level=DEBUG, Pid=7092, File=configuration.py, Line=505, Storage password "SA-ldapsearch:default:" not found
2019-04-30 10:40:44,038, Level=DEBUG, Pid=7092, File=configuration.py, Line=534, Configuration = ldapfilter(server=ldap://1.1.1.1:3268 - cleartext, credentials=splunkadmin@junk.default, alternatedomain=JUNK.DEFAULT, basedn=dc=junk,dc=default, decode=True, paged_size=1000)
2019-04-30 10:41:05,042, Level=ERROR, Pid=7092, File=search_command.py, Line=969, AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace'
Traceback:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 593, in _process_protocol_v1
    self._execute(ifile, None)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\streaming_command.py", line 54, in _execute
    SearchCommand._execute(self, ifile, self.stream)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 837, in _execute
    self._record_writer.write_records(process(self._records(ifile)))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\internals.py", line 519, in write_records
    for record in records:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapfilter.py", line 128, in stream
    self.error_exit(error, app.get_ldap_error_message(error, configuration))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325, in get_ldap_error_message
    error.message = error.message.replace('\0', '')

From what I can tell. It looks like when I use ldapfilter for DOMAINA, it ignores the corresponding configuration and instead uses the default configuration. I confirmed that by configuring the default domain to match DOMAINA and running ldapfilter on DOMAINA, and ldapfilter works for DOMAINA.

I think it's a problem with the Python files, but I don't know what changes to make.

I have the same problem when running ldapgroup.

Any help would be greatly appreciated.

johnmccash
Explorer

I just figured this issue out. Apparently, even though the 'default' domain should never be used, if you don't have a valid configuration in that value, ldapfilter and ldapgroup will fail, though everything else will work correctly.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...