I am having a problem using the ldapfilter and ldapgroup commands from the SA-ldapsearch app to work with multiple domains. I started by putting in junk information for the default configuration and setting up a configuration for DOMAINA.
When I test connection to DOMAINA, connection succeeds. In fact, the ldapsearch command works perfectly fine. However, when I run this search:
dest_nt_domain="DOMAINA" eventtype=msad-successful-user-logons
| stats max(_time) by dest_nt_domain,user
|ldapfilter domain="DOMAINA" search="(&(objectClass=user)(sAMAccountName=$user$))" attrs="cn,userPrincipalName" logging_level="DEBUG" debug=true
I get this error:
External search command 'ldapfilter' returned error code 1. Script output = "error_message=AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app_init_.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace' ".
Here are the entries from SA-ldapsearch.log:
2019-04-30 10:40:44,003, Level=DEBUG, Pid=7092, File=configuration.py, Line=47, Command = ldapfilter attrs="cn,userPrincipalName" debug="t" domain="DOMAINA" logging_level="DEBUG" search="(&(objectClass=user)(sAMAccountName=$user$))"
2019-04-30 10:40:44,035, Level=DEBUG, Pid=7092, File=configuration.py, Line=505, Storage password "SA-ldapsearch:default:" not found
2019-04-30 10:40:44,038, Level=DEBUG, Pid=7092, File=configuration.py, Line=534, Configuration = ldapfilter(server=ldap://1.1.1.1:3268 - cleartext, credentials=splunkadmin@junk.default, alternatedomain=JUNK.DEFAULT, basedn=dc=junk,dc=default, decode=True, paged_size=1000)
2019-04-30 10:41:05,042, Level=ERROR, Pid=7092, File=search_command.py, Line=969, AttributeError at "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325 : 'LDAPSocketOpenError' object has no attribute 'replace'
Traceback:
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 593, in _process_protocol_v1
self._execute(ifile, None)
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\streaming_command.py", line 54, in _execute
SearchCommand._execute(self, ifile, self.stream)
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\search_command.py", line 837, in _execute
self._record_writer.write_records(process(self._records(ifile)))
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\internals.py", line 519, in write_records
for record in records:
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapfilter.py", line 128, in stream
self.error_exit(error, app.get_ldap_error_message(error, configuration))
File "C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\packages\app\__init__.py", line 325, in get_ldap_error_message
error.message = error.message.replace('\0', '')
From what I can tell. It looks like when I use ldapfilter for DOMAINA, it ignores the corresponding configuration and instead uses the default configuration. I confirmed that by configuring the default domain to match DOMAINA and running ldapfilter on DOMAINA, and ldapfilter works for DOMAINA.
I think it's a problem with the Python files, but I don't know what changes to make.
I have the same problem when running ldapgroup.
Any help would be greatly appreciated.
... View more