Trying the latest (2.0.1) on 6.2.1. Takes incredibly long compared to an old version and it isn't parsing itself well.
i.e. Returned fields on
|ldapsearch domain=nb.com search="(&(objectclass=user)(!(objectClass=computer)))"
accountExpires cn codePage countryCode dSCorePropagationData description displayName distinguishedName extensionAttribute15 givenName host instanceType lastLogonTimestamp name objectCategory objectClass objectGUID objectSid primaryGroupID pwdLastSet sAMAccountName sAMAccountType uSNChanged uSNCreated userAccountControl userPrincipalName whenChanged whenCreated _raw _time
vs Old version, same query on same machine....and I removed a whole bunch. Also returns in ~1minute compared to 15+ for the newer version.
We found that unless you configure default to be your domain searches took forever, once we set default to our domain.
Splunk are Linux guys and sometime forget that us windows guys assume domain name means domain name, not in this case.
Where it says domain name=default, that's just a label. Leave domain name = default, your domain name goes in alternative domain name.
Previously even with some other label configured and tested to point to our domain, the search would takes 15-20 minutes. Once changed, much less than 1 minute for large searches.
While I don't have an answer to your issue, I'd like to share that I am also experiencing the exact same issues.
I recently deployed Splunk 6.2.1 for a new customer, and with using the 2.0.1 version of SA-ldapsearch I am having issues pulling certain attributes from AD user objects. In this specific case, I need SA-ldapsearch to generate an automated lookup for the Identities table for Splunk ES.
After much time and trouble, I have decided just to remove 2.0.1 and install 1.1.13.