First let me say I'm no Active Directory expert so maybe this behavior is expected. But I have successfully installed the Splunk Supporting Add-on for Active Directory and tested the connection. When I run a simple search, there's a relatively long (~10s) delay before the results are returned. Here's what my search looks like:
| ldapsearch domain=ACME search="(&(objectClass=user)(samAccountName=george))" attrs="department"
The search takes about 9 seconds, which seemed strange to me so I took a packet capture. After the bind, it looks like the add-on is sending a subSchema search for 12 attributes. A couple of those attributes (dITContentRules and attributeTypes) have a lot of values - 647 and 4108 respectively. It's the transmission of these attribute values that is causing the search to take so long. Once the add-in sends the actual search based on my search term, the response is almost immediate.
Is it normal for the add-on to send that initial subSchema query? Is there some reason it's necessary, or some way to suppress it?
Hi @scottprigge,
The Splunk Supporting Add-on for Active Directory is notorious for taking unusually long to return results. I have seen similar issues myself in just about every client environment I've used it in. Attached is the most descriptive thread of fellow Splunkers lamenting this issue:
https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html
Sounds like this is an issue for the developers, maybe you could open a ticket with your findings and help push them along?