All Apps and Add-ons

Splunk Support for Active Directory: "ERROR The default configuration stanza for ldap.conf is missing." using ldapfetch in a distributed search environment

bleinfelder
Path Finder

Hi there,

I installed SA-ldapsearch as decsribed in the docs on the search head in my distributed environment. When I run a simple ldapsearch, everything works just fine.

Now I want to query stuff from my indexers and feed the results into ldapfetch (idea: find windows groups in a log and use ldapfetch to find the members of that group).

Search head and indexers run on different machines.

I get the following errors from my indexers:

[map]: [PRDS0052] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "
[map]: [PRDS0053] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. " 

How can I prevent the ldap command from run on the indexers? For the lookup command, there is a "local" attribute. I cannot find sth like that in ldapfetch.

Any idea?

Best,

Bernd

sarmstrong_splu
Splunk Employee
Splunk Employee

Assuming that (1) you're on Splunk 6.3 and (2) the SH has got access to ActiveDirectory this problem is easily solved by a one line change to each of the files: sa-ldapsearch/bin/
{ldapfilter.py,ldapgroup.py,ldapsearch.py,ldapfetch.py, ldaptestconnection.py}

Here’s the change to make in each file:
Change this:

@Configuration()

to:

@Configuration(local=True)

[If you already have something within the ()'s, just add the local=True to what's already there.]

If you’re running on Splunk 6.2 or lower, you should add this line to each stanza in sa-ldapsearch/default/command.conf:
local = true

Save the files and restart the Splunk instance on the Search Head(s). Retest to verify the workaround worked.

Michael
Contributor

Thank you!

But, not knowing Python, I burnt some cycles on the adding of "local=True" to things already there. To help my next comrade from not falling for this, but sure to use a comma to separate multiple entries in the Configuration parameters. I.E.:

ldapsearch.py:@Configuration(retainsevents=True, local=True)
ldaptestconnection.py:@Configuration(retainsevents=True, local=True)
ldapfetch.py:@Configuration(local=True)
ldapfilter.py:@Configuration(local=True)
ldapgroup.py:@Configuration(local=True)

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...