topic Re: Splunk LDAP search add on: Ldap attrs config in Splunk Enterprise

Splunk LDAP search add on: Ldap attrs config

williamcclark — Fri, 19 Jan 2024 18:52:43 GMT

Can someone explain to me where the attrs argument pulls its attributes from? Originally I thought it was essentially the "-Properties" flag from Get-ADuser and I would be able to use those properties but whenever I try it says "External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: PasswordExpirationDate "." Where is the attrs list? How can I define more attrs?

Re: Splunk LDAP search add on: Ldap attrs config

tscroggins — Sat, 20 Jan 2024 17:07:28 GMT

Hi @williamcclark,

The ldapsearch command attrs argument is similar to the Get-ADUser cmdlet Properties parameter; however, unlike Get-ADUser, ldapsearch does not return a default set of LDAP attributes. Using ldapsearch without the attrs argument is equivalent to running Get-ADUser -Properties *. (Technically, the default value for attrs is the Python constant ldap3.ALL_ATTRIBUTES, which evaluates to *.)

To limit the attributes returned, provide a comma-delimited list to the attrs argument:

| ldapsearch attrs="sn,givenName,sAMAccountName"

In the add-on code, "Invalid attributes types in attrs list" is returned when a requested attribute is not present in the directory schema.

How are you using the ldapsearch command? Is it being used by another app or add-on? Does the use case expect a schema extension that isn't installed on your target directory? For example, are you searching for Exchange-related attributes in a directory that does not have the Exchange schema extensions installed?

Re: Splunk LDAP search add on: Ldap attrs config

williamcclark — Mon, 22 Jan 2024 15:03:52 GMT

Hi @tscroggins I was using the search app to run

| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires

accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser.

Re: Splunk LDAP search add on: Ldap attrs config

tscroggins — Mon, 22 Jan 2024 15:43:16 GMT

That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.

Re: Splunk LDAP search add on: Ldap attrs config

williamcclark — Mon, 22 Jan 2024 15:58:04 GMT

Name does return a value, as does every other attribute you listed. How is name not valid? Isn't it just pulling from properties in AD?

Re: Splunk LDAP search add on: Ldap attrs config

tscroggins — Sun, 28 Jan 2024 00:35:53 GMT

Ah, you are correct. "name" is the relative distinguished name (RDN) of the object. If the object's distinguished name is CN=foo,DC=example,DC=com, the name value should be foo.

accountExpires is a valid attribute in my Windows Server 2022 Active Directory environment.

A slightly modified version of the search works for me:

| ldapsearch search="(&(objectClass=user))" attrs="name,accountExpires"

What other information can you provide about your Active Directory environment?

Re: Splunk LDAP search add on: Ldap attrs config

williamcclark — Wed, 27 Mar 2024 21:42:09 GMT

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes.