Splunk Supporting Add-on for Active Directory Mult...

jlucas4 · ‎04-30-2019

I am having a problem using the ldapfilter and ldapgroup commands from the SA-ldapsearch app to work with multiple domains. I started by putting in junk information for the default configuration and setting up a configuration for DOMAINA.

When I test connection to DOMAINA, connection succeeds. In fact, the ldapsearch command works perfectly fine. However, when I run this search:
dest_nt_domain="DOMAINA" eventtype=msad-successful-user-logons
| stats max(_time) by dest_nt_domain,user
|ldapfilter domain="DOMAINA" search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName" logging_level="DEBUG" debug=true

I get this error:

External search command 'ldapfilter' returned error code 1. Script output = "error_message=AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app_init_.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".

Here are the entries from SA-ldapsearch.log:

2019-04-30 10:40:44,003, Level=DEBUG, Pid=7092, File=configuration.py, Line=47, Command = ldapfilter attrs="cn,userPrincipalName" debug="t" domain="DOMAINA" logging_level="DEBUG" search="(&(objectClass=user)(sAMAccountName=$user$))"
2019-04-30 10:40:44,035, Level=DEBUG, Pid=7092, File=configuration.py, Line=505, Storage password "SA-ldapsearch:default:" not found
2019-04-30 10:40:44,038, Level=DEBUG, Pid=7092, File=configuration.py, Line=534, Configuration = ldapfilter(server=ldap://1.1.1.1:3268 - cleartext, credentials=splunkadmin@junk.default, alternatedomain=JUNK.DEFAULT, basedn=dc=junk,dc=default, decode=True, paged_size=1000)
2019-04-30 10:41:05,042, Level=ERROR, Pid=7092, File=search_command.py, Line=969, AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace'
Traceback:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 593, in _process_protocol_v1
    self._execute(ifile, None)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\streaming_command.py", line 54, in _execute
    SearchCommand._execute(self, ifile, self.stream)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 837, in _execute
    self._record_writer.write_records(process(self._records(ifile)))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\internals.py", line 519, in write_records
    for record in records:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapfilter.py", line 128, in stream
    self.error_exit(error, app.get_ldap_error_message(error, configuration))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325, in get_ldap_error_message
    error.message = error.message.replace('\0', '')

From what I can tell. It looks like when I use ldapfilter for DOMAINA, it ignores the corresponding configuration and instead uses the default configuration. I confirmed that by configuring the default domain to match DOMAINA and running ldapfilter on DOMAINA, and ldapfilter works for DOMAINA.

I think it's a problem with the Python files, but I don't know what changes to make.

I have the same problem when running ldapgroup.

Any help would be greatly appreciated.

johnmccash · ‎11-18-2019

I just figured this issue out. Apparently, even though the 'default' domain should never be used, if you don't have a valid configuration in that value, ldapfilter and ldapgroup will fail, though everything else will work correctly.

Splunk Supporting Add-on for Active Directory Multiple LDAP Configurations

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor