The ldapsearch command
Overview
The ldapsearch command retrieves results from the specified search from the configured domains and generates events. It must be at the beginning of a search pipeline. A sample usage follows:
| ldapsearch domain=SPL search="(objectClass=user)"
There are several possible arguments for ldapsearch
:
Argument | Description |
---|---|
domain=<domain> | Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza. |
search=<search-filter> | Specifies the RFC 2254-compliant search string. |
attrs=<attribute-names> | Specifies a comma-delimited list of attributes to return as fields. |
debug=<boolean> | Specifies whether or not ldapsearch should write debug log data. When set to T, specifies that debug logging should occur. |
limit=<size-limit> | Specifies that only a certain number of entries should be returned. This argument is optional and defaults to all entries. |
basedn=<search-base> | Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain. |
scope=<base|one|sub> | Specifies the scope of the search to be one of base, one, or sub. Base retrieves only parent domain data. One retrieves one level of a sub-domain data. Sub retrieves all sub-domain data. The default is sub.
|
logging_level=(CRITICAL|ERROR|WARNING|INFO|DEBUG) | Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:
File: Full pathname of the source file where the logging call was made. |
ldapsearch
writes its debug logs to $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log. Splunk indexes and rotates this file by default.
On return, the raw value of each event is the LDAP Data Interchange Format (LDIF) representation of the record. In addition, the command returns a number of attributes as values. When the command returns attributes as values, it decodes those values on the fly. For instance, the command represents a globally unique ID (GUID) or security ID (SID) in human-readable form, even though the LDIF form in the event itself remains in base-64-encoded format. By default, the command returns all user attributes.
Examples
See Create an asset lookup from your current LDAP data in Splunk Enterprise Security for more details.
To get a table suitable for pushing into the identities.csv
file for the Splunk App for Enterprise Security:
| ldapsearch domain=SPL search="(&(objectclass=user)
(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix,
mail, telephoneNumber, mobile, manager, priority, department, category,
watchlist, whenCreated, endDate
| rename sAMAccountName AS identity, personalTitle AS prefix,
displayName AS nick, givenName AS first, sn AS last, mail AS email,
telephoneNumber AS phone, mobile AS phone2, manager AS managedBy,
department as bunit, whenCreated AS startDate
If you have multiple domains, you can run multiple ldapsearch
commands that are joined using the append
command. For example:
| ldapsearch domain=SPL search="(&(objectclass=user)
(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| eval identity = "SPL\\" + sAMAccountName
| table identity, personalTitle, displayName, givenName, sn, suffix,
mail, telephoneNumber, mobile, manager, priority, department, category,
watchlist, whenCreated, endDate
| rename personalTitle AS prefix, displayName AS nick, givenName AS first,
sn AS last, mail AS email, telephoneNumber AS phone, mobile AS phone2,
manager AS managedBy, department AS bunit, whenCreated AS startDate
| append [ ldapsearch domain=ENG search="(&(objectclass=user)
(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| eval identity = "ENG\\" + sAMAccountName
| table identity, personalTitle, displayName, givenName, sn, suffix,
mail, telephoneNumber, mobile, manager, priority, department, category,
watchlist, whenCreated, endDate
| rename personalTitle AS prefix, displayName AS nick, givenName AS first,
sn AS last, mail AS email, telephoneNumber AS phone,
mobile AS phone2, manager AS managedBy, department AS bunit,
whenCreated asASstartDate ]
Upgrade the Splunk Supporting Add-on for Active Directory (SA-LDAPSearch) | The ldapfilter command |
This documentation applies to the following versions of Splunk® Supporting Add-on for Active Directory: 3.1.1
Feedback submitted, thanks!