Add-on for LDAP: How to search for user entries (u...

alexantao · ‎11-16-2015

Hi,

I have some logs from my proxy. Inside it, there is a field that indicates the userid (user_id) the user entered when authenticating.
I want to generate a report that shows me the top users, but I need to translate the user_id to their real name from our OpenLDAP server.

I installed TA-LDAP, tried this, and it works. I put a simple search string to test:

user_id="myuserID" | ldap ldap_filter="uid=myuserID" attrs="givenname,sn"

and it works, returns a table with the username I want.

Now I need to make a search and return a table for all users I have, making stats for them, but I couldn't figure out how to pass the user_id dynamically to the ldap command.
For example, I tried to generate all log entries just translating the usernames:

user_id="myuserID" | ldap ldap_filter="uid=user_id" attrs="givenname,sn"

but internally the ldap command receives:

myldap:319 - using ldap_filter :  uid=user_id

I have already tried the eval to generate a dynamically string, but didn't work. Anything I pass to ldap command is fixed and cannot be changed.

I've been thinking if it is possible to make a lookup to do the job, but I also did not manage to figure out how to do it. I know there is a myldap.py command in the bin folder of the plug-in, but how do I convert it to a lookup command?

Somebody have some tips to make it work?

Thanks a lot !

MuS · ‎11-16-2015

Hi alexantao,

I wrote this app and will try to help you. Have you tried to run your search using a $user_id$

 user_id="myuserID" | ldap ldap_filter="uid=$user_id$" attrs="givenname,sn"

cheers, MuS

gopmister · ‎04-28-2017

MuS,

I understand you wrote the Active Directory Add-on app. I have a question, I have a list of users that I need to pull ldap information on, is there a way I can do an inputlookup with ldap search? Let me know if that could be a possibility. I am trying to gather every attribute for these users and whether they are deactivated or not.
Thanking you for your time.

Gopmister

MuS · ‎04-30-2017

Hi @Gopmister,

If you refer to the Active Directory add-on or SA-ldapserach https://splunkbase.splunk.com/app/1151/ I did not write that one. I haven't added the tokens into my app yet, but thanks for reminding me 😉

cheers, MuS

alexantao · ‎12-09-2015

Hi MuS,

While I cannot do this with a lookup, I decided take a temporary approach with a scheduled search that takes ALL users from my OpenLDAP and generates a lookup table with: login, Name, so that I can use on my searches until I can search directly my server as a lookup.

Just to inform, I was writing another message with a problem I had trying to search. But I just realized what the problem is, but didn't figure out what to do to solve it. It seems that the sizelimit is being set as default to 55 entries. All my search were limited to this number. When I manually set it to 500 I get the results. I contacted the LDAP admin and he told me the max search configured on the server is 2000. So I think I will not be able to execute this new idea, since we have more than 10.000 users.

Any idea ???

MuS · ‎12-09-2015

You can set the sizelimit by using the sizelimit= option:

 | ldap server="foo" sizelimit="100"

BTW the default for sizelimit is 10 not 55

alexantao · ‎11-16-2015

Hi MuS !

Thank you for the support !
I tried as you posted and it did not work. It is taking the literal string as parameter. Here is the log.

     INFO    myldap:319 - using ldap_filter :  uid=$user_id$

MuS · ‎11-16-2015

HeHe, how dare you not taking the $user_id$ !
Sorry for that - never thought of that use case! I'll have a look what can be done. Planing an update anyway.
Cannot give you a time frame when it will happen, but it will......

Add-on for LDAP: How to search for user entries (user_id) from logs and return users' real names?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life