All Apps and Add-ons

external search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=* in ldap.conf

abandi
New Member

Hi, I have installed Splunk Supporting Add-on for Active Directory to run ldap search command. After installing the TA and trying to run ldap search command and its not working.
Error: "external search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=* in ldap.conf"

Can anyone help me out with this issue?

0 Karma

hdbang_splunk
Splunk Employee
Splunk Employee

Did you use '' at domain in the search query like "| ldapsearch domain= search=..."
If you did, '*' will not work but have to specify the actual

If you mean by '*', all attempted domains, that Error literally indicates that the ldap.conf does not have [] stanza.

Basically 'default' domain in SA-ldapsearch is required configuration and also the 'default' domain should be functional in order to complete the Configuration.

However, some other apps such as 'Splunk App for Windows Infrastructure' does not use the 'default' domain.
If the SA-ldapsearch app does not have [] stanza, the 'Splunk App for Windows Infrastructure' will throw that error as well.

"error_message=Cannot find the configuration stanza for domain= in ldap.conf"

In the SA-ldapsearch Configuration, 'Alternate domain name' is essential field and should be unique.
That means you cannot use the same 'Alternate domain name' in 'default' domain and domain.
In that case, you may want to set up a different 'Alternate domain name' in 'default' and preferred name in domain.

The 'ldap.conf' looks like below.

[default]
alternatedomain = DUMMY.COM

basedn = dc=your_domain_name,dc=com
binddn = CN=administrator,cn=users,dc=your_domain_name,DC=com
port = 389
server = 192.168.100.100
ssl = 0

[your_domain_name]
alternatedomain = YOUR_DOMAIN_NAME.COM

0 Karma

giulioBalza
Path Finder

Hello Rick,

thanks for the reply.

I'm not native english spoken, so i could bad explained my needs or not well understand but the below explanation in the documentation (https://docs.splunk.com/Documentation/Splunk/8.2.6/Indexer/Decommissionasite) seems that replication starts after mapping and the CM restart:

To deal with this issue, you can map decommissioned sites to active sites. The bucket copies for which a decommissioned site is the origin site will then be replicated to the active site specified by the mapping, allowing the cluster to again meet its replication and search factors.

 

Regards

 

 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...