- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Splunk Supporting Add-on for Active Directory (SA-...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Supporting Add-on for Active Directory (SA-LDAPSearch): Returns error code 1, Script output = ERROR socket creation error: [Errno 11004] getaddrinfo failed
We recently upgraded Splunk to 6.3.3 and it seems to have caused the Splunk Supporting Add-on for Active Directory to stop working. I am not exactly sure when the problem started, it was working before our Core Splunk upgrade. I upgraded to version 2.1.3 of Splunk Supporting Add-on for Active Directory once we identified the problem, but it did not resolve the issue.
Here is the search I am running:
|ldapsearch domain=my.domain.com search="(&(&(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))" attrs="sAMAccountName,department,extensionAttribute7" | table sAMAccountName department extensionAttribute7
Pretty straight forward.
Here is the error I receive:
External search command 'ldapsearch' returned error code 1. Script output = " ERROR socket creation error: [Errno 11004] getaddrinfo failed "
Thank you for any assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I meant to log in and update this topic with the solution we found.
In the app configuration/conf file we had multiple ldap servers listed in the hostname field separated by a semi colon. It seems at some point that became an invalid configuration and stopped working. Once we removed the 2nd server to only list a single hostname it started working again.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I should mention that this exact search has been working for a while, until this recent hiccup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is a lower level error than you are thinking I suspect. Please try the following:
1. Navigate to the SA-ldapsearch configuration and 'test' my.domain.com configured there. If this cannot connect you are having a basic issue with AD communication.
2. Make sure your host is correct and can be accessed over the specified LDAP port. If you have concern about the correctness of your credentials, you can independently validate LDAP credentials using a tool like Softerra LDAP browser, which is free to download.
3. If all your credentials are correct and you are still receiving this error, you should check if there is a firewall rule blocking communication (socket creation error) between the Splunk instance and the AD domain controller.
4. Additional connection issues with SA-ldapsearch running in a Search head cluster may be ameliorated by use of a local command override for all six ldapsearch commands in ../local/commands.conf like this:
[ldapsearch]
filename = ldapsearch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
local = true
[ldapfetch]
filename = ldapfetch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
etc....
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
