Splunk® Supporting Add-on for Active Directory

Deploy and Use the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch)

Download manual as PDF

Download topic as PDF

The ldapsearch command

Overview

The ldapsearch command retrieves results from the specified search from the configured domains and generates events. It must be at the beginning of a search pipeline. A sample usage follows:

| ldapsearch domain=SPL search="(objectClass=user)"

There are several possible arguments for ldapsearch:

Argument Description
domain=<domain> Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
search=<search-filter> Specifies the RFC 2254-compliant search string.
attrs=<attribute-names> Specifies a comma-delimited list of attributes to return as fields.
debug=<boolean> Specifies whether or not ldapsearch should write debug log data. When set to T, specifies that debug logging should occur.
limit=<size-limit> Specifies that only a certain number of entries should be returned. This argument is optional and defaults to all entries.
basedn=<search-base> Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain.
scope=<base|one|sub> Specifies the scope of the search to be one of base, one, or sub. The default is sub.
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File: Full pathname of the source file where the logging call was made.
Level: Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG.
Line: Line number in the source file where the logging call was made.
Pid: ID of the process that made the logging call.
log_source: String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message: Full text of the logged message.

ldapsearch writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.

On return, the raw value of each event is the LDAP Data Interchange Format (LDIF) representation of the record. In addition, the command returns a number of attributes as values. When the command returns attributes as values, it decodes those values on the fly. For instance, the command represents a globally unique ID (GUID) or security ID (SID) in human-readable form, even though the LDIF form in the event itself remains in base-64-encoded format. By default, the command returns all user attributes.

Examples

See Example methods of adding asset and identity data in Splunk Enterprise Security for more details.

To get a table suitable for pushing into the identities.csv file for the Splunk App for Enterprise Security:

| ldapsearch domain=SPL search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename sAMAccountName AS identity, personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department as bunit, whenCreated AS startDate

If you have multiple domains, you can run multiple ldapsearch commands that are joined using the append command. For example:

| ldapsearch domain=SPL search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | eval identity = "SPL\\" + sAMAccountName | table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department AS bunit, whenCreated AS startDate | append [ ldapsearch domain=ENG search="(&(objectclass=user) (!(objectClass=computer)))" | search userAccountControl="NORMAL_ACCOUNT" | eval suffix="" | eval priority="medium" | eval category="normal" | eval watchlist="false" | eval endDate="" | eval identity = "ENG\\" + sAMAccountName | table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber, mobile, manager, priority, department, category, watchlist, whenCreated, endDate | rename personalTitle AS prefix, displayName AS nick, givenName AS first, sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2, manager AS managedBy, department AS bunit, whenCreated asASstartDate ]

PREVIOUS
Configure the Splunk Supporting Add-on for Active Directory
  NEXT
The ldapfilter command

This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.2.0


Comments

@Bsaujla131984,

By locked, do you mean a user has been locked out of after a number of unsuccessful log in attempts? To find locked users, use this query:

| ldapsearch search="(&(objectClass=user)(lockoutTime>=1))"

For more information about locked out users on LDAP server, see https://ldapwiki.com/wiki/Active%20Directory%20Locked%20Accounts.

Nicolen splunk, Splunker
March 7, 2019

Hi,

Can I create a search for user locked in LDAP?

Thanks,

Bsaujla131984
March 1, 2019

Where do I put these commands? I don't see any .conf file to insert them into in the documentation.

Xmdofp
February 9, 2017

Hi,

That "inner box" you see is an issue with the new skin for the docs site. I'm putting in a request to have it reviewed and corrected. We use a special tag to create those "search" boxes and it does not appear to work properly in the new skin.

To answer your previous question (sorry for the delay!) I believe the answer is that you cannot search more than one domain at a time, but I am getting an updated answer from one of our engineers and will provide that as soon as I receive it.

Malmoore, Splunker
December 15, 2015

There is a strange "inner box" separating the first command in the example searches from the rest of the commands.

Woodcock
December 14, 2015

Can multiple domains be queried with a single command?

Woodcock
October 8, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters