This issue makes me a very sad panda.

I've had a case open with support since 12/2015 for this issue. They acknowledged that it is an issue they are working on, but still no fix. The problem started with v2 of the add-on. If you go back to the v1 version, which is Java based:-(, the performance is on par with normal LDAP queries. The downside, beyond Java, of downgrading to v1 is that there are lots of features missing. Namely Non-ASCII character support and ability to specify a BaseDN. Going back to v1 broke apps that we use and have created so we are back on slow v2. We try to use scheduled reports as much as possible to hide the slow searching, but that is not ideal, especially for developing searches.

Hi rtestu,

Thanks for the response.
I do use very specific searches. But the result is still very sluggish response. Still have to weight at last 5 minutes for any results to show up!
Here's an example query I execute:

search="(&(objectclass=user)(!(objectClass=computer))(accountExpires=9223372036854775807))"|sort sAMAccountName|table sAMAccountName,cn,userPrincipalName,userAccountControl

Could someone perhaps suggest ways to trace the situation to get to where the bottleneck could be?

And did you try what I mentioned ?

| ldapsearch search="(&(objectclass=user)(!(objectClass=computer))(accountExpires=9223372036854775807))"
attrs="sAMAccountName,cn,userPrincipalName,userAccountControl"
| sort sAMAccountName
| table sAMAccountName,cn,userPrincipalName,userAccountControl

It could significantly improve the performance if you have to retrieve lots of data from the LDAP. In your case, I am not sure it will improve a lot since you seem to retrieve a few accounts ...

Romain.

Hi retestu,

Yes I als tried limiting the attributes as you suggested but it's not helping.

The odd thing is when I perform the search from the command line on the same search head as show below, the results return immediately.

[root@JHBTNXSPL111 ~]# ldapsearch -x -b "DC=inter,DC=Kransnetwork,DC=Net" -D "CN=SRV-TCC-Splunk LDAP,OU=Service Accounts,OU=Groups,OU=TCC,DC=inter,DC=Kransnetwork,DC=net" -w "I3m5TFfB\$uh2%ze" -h 10.10.227.150 -p 389 -A '(&(objectclass=user)(!(objectClass=computer))(accountExpires=9223372036854775807))'

Also, the Splunk solution uses LDAP integration to authenticate users and it works just fine when users use the AD credentials to log in.

So it really seems to me like the problem is with the "Splunk Supporting Add-on for Active Directory".

There is no doubt the root cause is the addon.

A local os based ldapsearch takes milliseconds. The addon based one takes minutes.

I agree 100%! There is something NOT optimal with that "Splunk Supporting Add-on for Active Directory" that makes it not perform as expected.

I've seen many other posts from folks experiencing the same problem. The app serves a very useful function, but in its current state it's unusable.

Hi napomokoetle,

did you open a support case?

Hi Mus,

I have had the problem for a very long time and don't recall opening a trouble ticket. But there are many others who have had the same problem and opened tickets but I believe they never had the problem solved.

I opened a ticket, it seems that there is a bug in SA-LDAPsearch that is being addressed.

Thank you gwalford! I hope this issue can be finally be resolved. Much appreciated.

I strongly recommend you open a ticket on this issue as well.

The more customers that open tickets, the higher of a priority this becomes on the DEV side, and the more quickly you will get this issue addressed.

I'll do so.

Hi MuS, Thanks for your response. I'm using the SA-ldapsearch. I hope you can help resolve this performance problem.
Just to check if Splunk was the problem or NOT. I installed the Centos ldapsearch client and executed the same Active Directory search I've been trying through Splunk, and the AD results return in seconds.
So it seems to me the problem is with Splunk and not Active Directly or my system.