All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Support for Active Directory: "ERROR The default configuration stanza for ldap.conf is missing." using ldapfetch in a distributed search environment

bleinfelder
Path Finder
‎10-14-2015 03:22 AM

Hi there,

I installed SA-ldapsearch as decsribed in the docs on the search head in my distributed environment. When I run a simple ldapsearch, everything works just fine.

Now I want to query stuff from my indexers and feed the results into ldapfetch (idea: find windows groups in a log and use ldapfetch to find the members of that group).

Search head and indexers run on different machines.

I get the following errors from my indexers:

[map]: [PRDS0052] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "
[map]: [PRDS0053] External search command 'ldapfetch' returned error code 1. Script output = " ERROR The default configuration stanza for ldap.conf is missing. "

How can I prevent the ldap command from run on the indexers? For the lookup command, there is a "local" attribute. I cannot find sth like that in ldapfetch.

Any idea?

Best,

Bernd

Reply

sarmstrong_splu
Splunk Employee
Splunk Employee
‎11-30-2015 07:40 AM

Assuming that (1) you're on Splunk 6.3 and (2) the SH has got access to ActiveDirectory this problem is easily solved by a one line change to each of the files: sa-ldapsearch/bin/
{ldapfilter.py,ldapgroup.py,ldapsearch.py,ldapfetch.py, ldaptestconnection.py}

Here’s the change to make in each file:
Change this:

@Configuration()

to:

@Configuration(local=True)

[If you already have something within the ()'s, just add the local=True to what's already there.]

If you’re running on Splunk 6.2 or lower, you should add this line to each stanza in sa-ldapsearch/default/command.conf:
local = true

Save the files and restart the Splunk instance on the Search Head(s). Retest to verify the workaround worked.

Reply

Michael
Contributor
‎10-25-2017 07:55 AM

Thank you!

But, not knowing Python, I burnt some cycles on the adding of "local=True" to things already there. To help my next comrade from not falling for this, but sure to use a comma to separate multiple entries in the Configuration parameters. I.E.:

ldapsearch.py:@Configuration(retainsevents=True, local=True)
ldaptestconnection.py:@Configuration(retainsevents=True, local=True)
ldapfetch.py:@Configuration(local=True)
ldapfilter.py:@Configuration(local=True)
ldapgroup.py:@Configuration(local=True)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...