Splunk Search

Ldapsearch throwing spurious errors.

ifeldshteyn
Communicator

Hello,

I have a Search head cluster and an indexer cluster. 

When I am on one of the searchheads and run this ldapsearch command I get results. It works perfectly. 

 

| ldapsearch search="(&(objectCategory=Person)(objectClass=User)(lockoutTime>=1))" domain="MYDOMAIN.COM"  basedn="OU=Users,OU=NYHQ,OU=US,DC=MYDOMAIN,DC=com" 

 

However, all the indexers throw this spurious error, that doesn't seem to impact the results. 

 

[indexer1.mydomain.com] External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""/opt/splunk/var/run/searchpeers/B8AB8EAB-1DD4-42C8-83DE-945995C604D4-1592589919/apps/SA-ldapsearch/bin/packages/splunklib/client.py"", line 1653 : u'ldap'" "

 

When I login directly to my indexers and execute the same ldap search locally, I don't receive any errors. 

SA-ldapsearch is configured on both indexers and searchheads. Each one has valid ldap.conf and passwords.conf  and present in $SPLUNK_HOME$etc/apps/SA-ldapsearch  . I am able to AD authenticate on all of the machines. 

Any idea why I am getting these spurious errors thrown on the searchheads but not the indexers?

Thanks!

Tags (2)
0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...