We recently upgraded Splunk to 6.3.3 and it seems to have caused the Splunk Supporting Add-on for Active Directory to stop working. I am not exactly sure when the problem started, it was working before our Core Splunk upgrade. I upgraded to version 2.1.3 of Splunk Supporting Add-on for Active Directory once we identified the problem, but it did not resolve the issue.
Here is the search I am running:
|ldapsearch domain=my.domain.com search="(&(&(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))" attrs="sAMAccountName,department,extensionAttribute7" | table sAMAccountName department extensionAttribute7
Pretty straight forward.
Here is the error I receive:
External search command 'ldapsearch' returned error code 1. Script output = " ERROR socket creation error: [Errno 11004] getaddrinfo failed "
Thank you for any assistance.
I meant to log in and update this topic with the solution we found.
In the app configuration/conf file we had multiple ldap servers listed in the hostname field separated by a semi colon. It seems at some point that became an invalid configuration and stopped working. Once we removed the 2nd server to only list a single hostname it started working again.
I should mention that this exact search has been working for a while, until this recent hiccup.
This is a lower level error than you are thinking I suspect. Please try the following:
1. Navigate to the SA-ldapsearch configuration and 'test' my.domain.com configured there. If this cannot connect you are having a basic issue with AD communication.
2. Make sure your host is correct and can be accessed over the specified LDAP port. If you have concern about the correctness of your credentials, you can independently validate LDAP credentials using a tool like Softerra LDAP browser, which is free to download.
3. If all your credentials are correct and you are still receiving this error, you should check if there is a firewall rule blocking communication (socket creation error) between the Splunk instance and the AD domain controller.
4. Additional connection issues with SA-ldapsearch running in a Search head cluster may be ameliorated by use of a local command override for all six ldapsearch commands in ../local/commands.conf like this:
[ldapsearch]
filename = ldapsearch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
local = true
[ldapfetch]
filename = ldapfetch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true
etc....