Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Acrobat logo Download manual as PDF


This documentation does not apply to the most recent version of Splunk® Supporting Add-on for Active Directory. For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

The ldapsearch command

Overview

The ldapsearch command retrieves results from the specified search from the configured domains and generates events. It must be at the beginning of a search pipeline. A sample usage follows:

| ldapsearch domain=SPL search="(objectClass=user)"

There are several possible arguments for ldapsearch:

Argument Description
domain=<domain> Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
search=<search-filter> Specifies the RFC 2254-compliant search string.
attrs=<attribute-names> Specifies a comma-delimited list of attributes to return as fields.
debug=<boolean> Specifies whether or not ldapsearch should write debug log data. When set to T, specifies that debug logging should occur.
limit=<size-limit> Specifies that only a certain number of entries should be returned. This argument is optional and defaults to all entries.
basedn=<search-base> Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain.
scope=<base|one|sub> Specifies the scope of the search to be one of base, one, or sub. Base retrieves only parent domain data. One retrieves one level of a sub-domain data. Sub retrieves all sub-domain data. The default is sub.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapsearch writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

On return, the raw value of each event is the LDAP Data Interchange Format (LDIF) representation of the record. In addition, the command returns a number of attributes as values. When the command returns attributes as values, it decodes those values on the fly. For instance, the command represents a globally unique ID (GUID) or security ID (SID) in human-readable form, even though the LDIF form in the event itself remains in base-64-encoded format. By default, the command returns all user attributes.

Examples

See Create an asset lookup from your current LDAP data in Splunk Enterprise Security for more details.

To get a table suitable for pushing into the identities.csv file for the Splunk App for Enterprise Security:

| ldapsearch domain=SPL search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename sAMAccountName AS identity, personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department as bunit, whenCreated AS startDate

If you have multiple domains, you can run multiple ldapsearch commands that are joined using the append command. For example:

| ldapsearch domain=SPL search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | eval identity = "SPL\\" + sAMAccountName | table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department AS bunit, whenCreated AS startDate | append [ ldapsearch domain=ENG search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | eval identity = "ENG\\" + sAMAccountName | table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department AS bunit, whenCreated asASstartDate ]

Last modified on 14 September, 2020
PREVIOUS
Upgrade the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)
  NEXT
The ldapfilter command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0, 2.2.1, 3.0.0, 3.0.1, 3.0.2, 3.0.3


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters