Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Users can no longer execute ldapsearch; capability...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Users can no longer execute ldapsearch; capability required only admins have
Until months ago the SA-LDAPsearch 2.1.4 (aka Splunk Support for Active Directory) app worked fine, and it still does for me as admin.
But it appears no alerts have come through for a lot of time now.
What users see when trying to query:
External search command 'ldaptestconnection' returned error code 1. Script output = " ERROR " # host: somedomain Could not access the directory service at ldaps://someserver:636: 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580" "
Their attempt or even |ldaptestconnection) results in index=_audit in events like these:
Audit:[timestamp=03-20-2017 11:18:15.673, id=*, user=xxxxx, action=list_storage_passwords, info=denied object="SA-ldapsearch:default:" operation=list]
Seems not good to grant any non-admin role this capability, but how other way can a specific group of users (or even a few) be given the possibility to run ldap searches?
Running Splunk 6.5.1 on Linux; had as always granted the Power role read-access to the App, users involved had the Power role.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The workaround mentioned in https://answers.splunk.com/answers/189732/splunk-support-for-active-directory-why-are-non-ad.html still works.
You can place the plaintext password in the ldap.conf file against a password= paramater, and remove the encrypted version from passwords.conf, and the code will fallback to the plaintext one.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Also having this issue though we are just now noticing it after upgrading to 7.0.2. Have you found a workaround for this?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi,
do you find a Workaround?
many thanks in advance
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
