I am having an issue with the ldapsearch functionality under the Active directory app in Splunk.
I have been trying to get it to enumerate groups correctly. In certain circumstances I can get it to display all groups under Security > Reports > Security Groups - all.
This appears to return the correct values, however it appears to be struggling to enumerate group membership, if I run the report for Security > Reports > Security Groups - Empty it merely returns the same group listing regardless of whether the group is empty or not. (This only works if I use a single domain in the ldap.conf (with the 3 required stanzas as well as the default stanza)
I have a domain forest and a child domain. So presumably the ldap.conf should look something like this. (where forest is x.y.z and child domain is w.x.y.z)
[x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=x,DC=y,DC=z
password=password
[X]
alias=x.y.z
[DC=x,DC=y,DC=z]
alias=x.y.z
[w.x.y.z]
server=servername1;servername2
port=389
ssl=false
basedn=DC=w,DC=x,DC=y,DC=z
binddn=CN=account,OU=OrgUnit,DC=w,DC=x,DC=y,DC=z
password=password
[W]
alias=w.x.y.z
[DC=W,DC=X,DC=Y.DC=Z]
alias=w.x.y.z
[default]
server=servername1
port=389
ssl=false
However, when running in this configuration I see the following errors in the sa-ldapsearch.log file.
[com.splunk.program.LDAPSearch:main#-1] ERROR Exception com.unboundid.ldap.sdk.LDAPSearchException thrown: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points
ref 1: 'w.x.y.z'
Followed by a series of ERROR stack traces:
[com.splunk.program.LDAPSearch:main#-1] ERROR Stack Trace com.unboundid.ldap.sdk.LDAPConnection.search (3112)
If I revert to having just [w.x.y.z] (and associated aliases) and [default] removing [x.y.z] then some functionality is restored but I get the following errors logged in the log file.
[com.splunk.ldap.ActiveDirectory:getConnectionForEntry#-1] ERROR Could not find entry dc=x,dc=y,dc=z in ldap.conf
AND
[com.splunk.program.LDAPGroups:Execute#-1] WARNING Context for CN=Group,CN=Directory Element,DC=w,DC=x,DC=y,DC=z was not found - dumping and skipping
Any help in untangling this would be most useful, running on Windows, Java 1.7, Splunk 5.0.2, AD App v1.1.4, ldapsearch v1.1.9.