All Apps and Add-ons

Eror running LDAPSerach


I have configured the application as per the guidelines. I used the default configuration that comes with the app as it doesn't seem to matter if I create a new one or not.

Alternate domain name ==> MYDOMAIN
Base DN ==> DC=mydomain,DC=com,DC=au
Hostname ==>
Port ==> 389

Bind DN ==> CN=testaccout,OU=Accounts,OU=Users,DC=mydomain,DC=com,DC=au
Password ==> password

Testing the connection it works fine. Saving the button (which the UI doesn't refresh) writes my configuration into the relevant files on my SPLUNK Enterprise instance.

Performing the following search, I get the following errors which looks to just be column headings if I am not mistaken:

External search command 'ldapsearch' returned error code 1. First 1000 (of 655748350) bytes of script output: " serial,mvserial,_time,mvtime,_raw,mvraw,host,mv_host,dn,mv_dn,msExchSmtpReceiveMaxLogonFailures,_mv_msExchSmtpReceiveMaxLogonFailures,msDS-Transformation

The SA-ldapsearch.log file shows the following:

2019-07-16 15:51:40,473, Level=ERROR, Pid=6304,, Line=969, IOError at "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 698 : [Errno 22] Invalid argument
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 593, in _process_protocol_v1
self._execute(ifile, None)
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 197, in _execute
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 382, in finish
File "D:\SPLUNK Enterprise\etc\apps\SA-ldapsearch\bin\packages\splunklib\searchcommands\", line 698, in flush

I checked the job inspector on SPLUNK and it indicates the following:

This search has completed in 465.118 seconds, but did not match any events. The terms specified in the highlighted portion of the search:

ldapsearch domain=default search="(objectClass=group)" | ifields + cn, distinguishedName | ldapgroup | table cn, member_dn, member_type
over the time range:

15/07/2019 15:00:00.000 - 16/07/2019 15:45:00.000
did not return any data. Possible solutions are to:

*relax the primary search criteria
*widen the time range of the search
*check that the default search indexes for your account include the desired indexes
*Learn more about troubleshooting empty search results at Splunk Documentation

The following messages were returned by the search subsystem:

info : No matching fields exist.
error : External search command 'ldapsearch' returned error code 1. First 1000 (of 655748350) bytes of script output: " serial,mvserial,_time,mvtime,_raw,mvraw,host,mv_host,dn,mv_dn,msExchSmtpReceiveMaxLogonFailures,mv_msExchSmtpReceiveMaxLogonFailures,msDS-TransformationRulesCompiled,_mv_msDS-TransformationRulesCompiled,msExchESEParamLogWaitingUserMa

I am testing this on a test box (Windows) to validate the app before I move this onto our Development environment so I don't have to monitor CSV files that are generated by Powershell scripts.

I am not sure where this is going wrong. Any assistance would be appreciated.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>