Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SA-ldapsearch ldapgroup error

Hiattech
Explorer
‎09-11-2024 10:46 AM

We migrated our Splunk indexer from Ubuntu to RHEL recently. Everything appeared to go fine except for this one add-on. Initially, we were getting a different error. I ran fapolicyd-cli add file splunk to it and that error cleared but now we get this error. 

External search command "ldapgroup" returned error code 1. Script output = "error message=HTTPError at "/opt/splunk/etc/apps/SA-ldapsearch/bin/packages/splunklib/binding.py", line 1245 : HTTP 403 Forbidden - insufficient permission to access this resources."

I went in and did chown -R on the folder (and every other folder in the line including /opt/splunk) but that didn't fix it. The files and folders are all owned by splunk and have permission to run it. I have verified the firewall ports for 636 and 389 are open. We have tried to reinstall the add-on through the web interface and get a series of similar errors indicating that it can't copy a number of .py files over. Some do get copied though and most of the folders created. I'm at a bit of a loss...

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Hiattech
Explorer
‎09-11-2024 03:46 PM

We ended up disabling fapolicyd and testing the install again. It worked. After it was configured, we enabled fapolicyd and is still working.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Hiattech
Explorer
‎09-11-2024 03:46 PM

We ended up disabling fapolicyd and testing the install again. It worked. After it was configured, we enabled fapolicyd and is still working.

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎09-11-2024 01:25 PM

The error means that during execution of that script an exception was thrown at line 1245 because it tried to connect somewhere and got 403 as a response. It doesn't have anything to do with filesystem permissions.

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...