Getting Data In

Splunk Supporting Add-on for Active Directory (SA-LDAPSearch): Returns error code 1, Script output = ERROR socket creation error: [Errno 11004] getaddrinfo failed

JWBailey
Communicator

We recently upgraded Splunk to 6.3.3 and it seems to have caused the Splunk Supporting Add-on for Active Directory to stop working. I am not exactly sure when the problem started, it was working before our Core Splunk upgrade. I upgraded to version 2.1.3 of Splunk Supporting Add-on for Active Directory once we identified the problem, but it did not resolve the issue.

Here is the search I am running:

|ldapsearch domain=my.domain.com search="(&(&(objectclass=user)(objectcategory=person))(!(userAccountControl=514)))" attrs="sAMAccountName,department,extensionAttribute7" | table sAMAccountName department extensionAttribute7

Pretty straight forward.

Here is the error I receive:

External search command 'ldapsearch' returned error code 1. Script output = " ERROR socket creation error: [Errno 11004] getaddrinfo failed "

Thank you for any assistance.

0 Karma

JWBailey
Communicator

I meant to log in and update this topic with the solution we found.

In the app configuration/conf file we had multiple ldap servers listed in the hostname field separated by a semi colon. It seems at some point that became an invalid configuration and stopped working. Once we removed the 2nd server to only list a single hostname it started working again.

0 Karma

JWBailey
Communicator

I should mention that this exact search has been working for a while, until this recent hiccup.

0 Karma

andykuhn
Path Finder

This is a lower level error than you are thinking I suspect. Please try the following:
1. Navigate to the SA-ldapsearch configuration and 'test' my.domain.com configured there. If this cannot connect you are having a basic issue with AD communication.
2. Make sure your host is correct and can be accessed over the specified LDAP port. If you have concern about the correctness of your credentials, you can independently validate LDAP credentials using a tool like Softerra LDAP browser, which is free to download.
3. If all your credentials are correct and you are still receiving this error, you should check if there is a firewall rule blocking communication (socket creation error) between the Splunk instance and the AD domain controller.
4. Additional connection issues with SA-ldapsearch running in a Search head cluster may be ameliorated by use of a local command override for all six ldapsearch commands in ../local/commands.conf like this:


[ldapsearch]
filename = ldapsearch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
local = true

[ldapfetch]
filename = ldapfetch.py
outputheader = true
requires_srinfo = true
supports_getinfo = true
supports_rawargs = true
supports_multivalues = true
local = true

etc....

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...