All Apps and Add-ons

Splunk Supporting Add-on for Active Directory Multiple LDAP Configurations


I am having a problem using the ldapfilter and ldapgroup commands from the SA-ldapsearch app to work with multiple domains. I started by putting in junk information for the default configuration and setting up a configuration for DOMAINA.

When I test connection to DOMAINA, connection succeeds. In fact, the ldapsearch command works perfectly fine. However, when I run this search:
dest_nt_domain="DOMAINA" eventtype=msad-successful-user-logons
| stats max(_time) by dest_nt_domain,user
|ldapfilter domain="DOMAINA" search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName" logging_level="DEBUG" debug=true

I get this error:

External search command 'ldapfilter' returned error code 1. Script output = "error_message=AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".

Here are the entries from SA-ldapsearch.log:

2019-04-30 10:40:44,003, Level=DEBUG, Pid=7092,, Line=47, Command = ldapfilter attrs="cn,userPrincipalName" debug="t" domain="DOMAINA" logging_level="DEBUG" search="(&(objectClass=user)(sAMAccountName=$user$))"
2019-04-30 10:40:44,035, Level=DEBUG, Pid=7092,, Line=505, Storage password "SA-ldapsearch:default:" not found
2019-04-30 10:40:44,038, Level=DEBUG, Pid=7092,, Line=534, Configuration = ldapfilter(server=ldap:// - cleartext, credentials=splunkadmin@junk.default, alternatedomain=JUNK.DEFAULT, basedn=dc=junk,dc=default, decode=True, paged_size=1000)
2019-04-30 10:41:05,042, Level=ERROR, Pid=7092,, Line=969, AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace'
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 593, in _process_protocol_v1
    self._execute(ifile, None)
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 54, in _execute
    SearchCommand._execute(self, ifile,
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 837, in _execute
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 519, in write_records
    for record in records:
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\", line 128, in stream
    self.error_exit(error, app.get_ldap_error_message(error, configuration))
  File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\", line 325, in get_ldap_error_message
    error.message = error.message.replace('\0', '')

From what I can tell. It looks like when I use ldapfilter for DOMAINA, it ignores the corresponding configuration and instead uses the default configuration. I confirmed that by configuring the default domain to match DOMAINA and running ldapfilter on DOMAINA, and ldapfilter works for DOMAINA.

I think it's a problem with the Python files, but I don't know what changes to make.

I have the same problem when running ldapgroup.

Any help would be greatly appreciated.


I just figured this issue out. Apparently, even though the 'default' domain should never be used, if you don't have a valid configuration in that value, ldapfilter and ldapgroup will fail, though everything else will work correctly.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!