I'm not sure I fully understand what's going on here. When you run the

|ldapsearch search="(objectClass=group)" attrs="*"
| collect index=<ldapsearch>

command on your forwarder, do you get results or an error message? If you get results, then you should be able to simply search against the index on your search head. If you don't get results, then there's something else going on: is the app configured correctly? is the query correct?

if I run the command on my HF is fine, it works. I configured the AD plugin to send events to the indexer. But if I run it on my SH doesn't work. I guess the send event function is not configured properly, by that I mean this tutorial :

The following steps are the same for saving new alerts or editing existing alerts.

1. From the Add Actions menu, select Log event.
2. Add the following event information to configure the alert action. Use plain text or tokens for search, job, or server metadata.
   

   • Event text
   • Source and sourcetype
   • Host
   • Destination index for the log event. The main index is the default destination. You can specify a different existing index.

It's possible that your SH isn't set up to reach your LDAP systems and that's why it's not returning results, but it's hard to say without more information. I'd recommend checking the logs for the add-on and seeing if you can find any errors or anything in there. You'll find these in $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log (Ref: https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.8/User/UseSA-ldapsearchtotroubleshootproblem...)