Configured SA-ldapsearch V2.0.0 with the following configuration to query a Microsoft 2008R2 Domain Controller with all service packs installed to date of posting:
ldap.conf
[default]
server = MSDC01.xxx.yyy.zzz
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false
[xxx.yyy.zzz]
basedn = DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false
[xxx]
alias = xxx.yyy.zzz
[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz
When the connection is tested it successfully returns: Result: distinguishedName: DC=xxx,DC=yyy,DC=zzz
However the Splunk App for Windows Infrastructure (1.0.4) > Active Directory > Users > User Audit (and many others) doesn't return any data when a valid user is inputted.
When the Active Directory Record - User panel is opened in search the following error is displayed:
*External search command 'ldapsearch' returned error code 1. Script output = " ERROR "KeyError at ""C:\Program Files\Splunk\etc\apps\SA-ldapsearch\bin\ldapsearch.py"", line 100 : u'attributes'" " *
If the ldap.conf basedn is defined with an OU=sss in-front of the basedn as shown below this error is not shown and the Active Directory Record - User panel returns user values. It also passes the connection test.
ldap.conf
[default]
server = MSDC01.xxx.yyy.zzz
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 3268
ssl = false
[xxx.yyy.zzz]
basedn = OU=sss,DC=xxx,DC=yyy,DC=zzz
binddn = CN=SplunkDAAccount,OU=Domain Admins,OU=Administration,DC=xxx,DC=yyy,DC=zzz
password =
port = 389
server = MSDC01.xxx.yyy.zzz
ssl = false
[xxx]
alias = xxx.yyy.zzz
[DC=xxx,DC=yyy,DC=zzz]
alias = xxx.yyy.zzz
Is this a known issue? Should it work with DC=? Does SA-ldapsearch require an OU= to work and if so how do I configure it with multiple root level OU's?
... View more