All Apps and Add-ons

external search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=* in ldap.conf

abandi
New Member

Hi, I have installed Splunk Supporting Add-on for Active Directory to run ldap search command. After installing the TA and trying to run ldap search command and its not working.
Error: "external search command 'ldapsearch' returned error code 1. Script output = "error_message=Cannot find the configuration stanza for domain=* in ldap.conf"

Can anyone help me out with this issue?

0 Karma

hdbang_splunk
Splunk Employee
Splunk Employee

Did you use '' at domain in the search query like "| ldapsearch domain= search=..."
If you did, '*' will not work but have to specify the actual

If you mean by '*', all attempted domains, that Error literally indicates that the ldap.conf does not have [] stanza.

Basically 'default' domain in SA-ldapsearch is required configuration and also the 'default' domain should be functional in order to complete the Configuration.

However, some other apps such as 'Splunk App for Windows Infrastructure' does not use the 'default' domain.
If the SA-ldapsearch app does not have [] stanza, the 'Splunk App for Windows Infrastructure' will throw that error as well.

"error_message=Cannot find the configuration stanza for domain= in ldap.conf"

In the SA-ldapsearch Configuration, 'Alternate domain name' is essential field and should be unique.
That means you cannot use the same 'Alternate domain name' in 'default' domain and domain.
In that case, you may want to set up a different 'Alternate domain name' in 'default' and preferred name in domain.

The 'ldap.conf' looks like below.

[default]
alternatedomain = DUMMY.COM

basedn = dc=your_domain_name,dc=com
binddn = CN=administrator,cn=users,dc=your_domain_name,DC=com
port = 389
server = 192.168.100.100
ssl = 0

[your_domain_name]
alternatedomain = YOUR_DOMAIN_NAME.COM

0 Karma

giulioBalza
Path Finder

Hello Rick,

thanks for the reply.

I'm not native english spoken, so i could bad explained my needs or not well understand but the below explanation in the documentation (https://docs.splunk.com/Documentation/Splunk/8.2.6/Indexer/Decommissionasite) seems that replication starts after mapping and the CM restart:

To deal with this issue, you can map decommissioned sites to active sites. The bucket copies for which a decommissioned site is the origin site will then be replicated to the active site specified by the mapping, allowing the cluster to again meet its replication and search factors.

 

Regards

 

 

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...