Splunk SOAR

Active Directory/LDAP connection and authentication debug script

kevinh_splunk
Splunk Employee
Splunk Employee
This article applies to Splunk Phantom versions 4.6 , 4.5 , 4.2 , 4.1 , 4.0 , 3.5 , 3.0 , 2.1 , 2.0
 

The Active Directory/LDAP debug script is used to view a detailed output of the connection and authentication attempt between Splunk Phantom and an Active Directory instance. The script accesses the Splunk Phantom database and uses the Active Directory server configuration and credentials as configured in Splunk Phantom. For a copy of the debug script, open a Support case.

WARNING: The debug script output will contain the Active Directory password in plain text. It is your responsibility to sanitize the report before sharing with unauthorized persons.

Before running the script, verify the Splunk Phantom Active Directory settings are configured with the credentials intended for the debug script to use.

  • In Splunk Phantom, select Administration > System Settings > Authentication.
  • Verify the credentials listed in the Active Directory Settings fields.
  • Click Save Changes.

Run the Active Directory/LDAP connection and authentication debug script.

  • Transfer the script "test_ldap.pyc" to the Phantom server.
  • Phantom 2.1 and previous: Change the current user to apache.
    [root@localhost user]# sudo -u apache bash
  • Phantom 2.1 and previous: Run the test_ldap.pyc script.
    [root@localhost user]# python2.7 test_ldap.pyc
  • Phantom 3.0 to current: Change the current user to nginx.
    [root@localhost user]# sudo -u nginx bash
  • Phantom 3.0 to current: Run the test_ldap.pyc script.
    [root@localhost user]# phenv python2.7 test_ldap.pyc
  • The debug script output will contain the Active Directory password in plain text. It is your responsibility to sanitize the report before sharing with unauthorized persons.

Below is an example output from the script in Splunk Phantom 3.0 showing a successful Active Directory connection:

[root@localhost user]# sudo -u nginx bash
bash-4.1$ phenv python2.7 test_ldap.pyc
ldap_create
ldap_url_parse_ext(ldap://dc1.corp.contoso.com)
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option
((17, 3), {})
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option
((8, 0), {})
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option
((20485, 10.0), {})
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.set_option
((20482, 10.0), {})
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.simple_bind
(('administrator@corp.contoso.com', 'PASSWORD', None, None), {})
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP dc1.corp.contoso.com:389
ldap_new_socket: 4
ldap_prepare_socket: 4
ldap_connect_to_host: Trying 10.17.1.42:389
ldap_pvt_connect: fd: 4 tm: 10 async: 0
ldap_ndelay_on: 4
attempting to connect: 
connect errno: 115
ldap_int_poll: fd: 4 tm: 10
ldap_is_sock_ready: 4
ldap_ndelay_off: 4
ldap_pvt_connect: 0
ldap_open_defconn: successful
ldap_send_server_request
***  ldap://dc1.corp.contoso.com - SimpleLDAPObject.result4
((1, 1, -1, 0, 0, 0), {})
ldap_result ld 0x1676e00 msgid 1
wait4msg ld 0x1676e00 msgid 1 (timeout 10000000 usec)
wait4msg continue ld 0x1676e00 msgid 1 all 1
** ld 0x1676e00 Connections:
* host: dc1.corp.contoso.com  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Thu Dec  1 16:00:38 2016

** ld 0x1676e00 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
  ld 0x1676e00 request count 1 (abandoned 0)
** ld 0x1676e00 Response Queue:
   Empty
  ld 0x1676e00 response count 0
ldap_chkResponseList ld 0x1676e00 msgid 1 all 1
ldap_chkResponseList returns ld 0x1676e00 NULL
ldap_int_select
read1msg: ld 0x1676e00 msgid 1 all 1
read1msg: ld 0x1676e00 msgid 1 message type bind
read1msg: ld 0x1676e00 0 new referrals
read1msg:  mark request completed, ld 0x1676e00 msgid 1
request done: ld 0x1676e00 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ldap_msgfree
ldap_free_connection 1 1
ldap_send_unbind
ldap_free_connection: actually freed
Labels (2)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...