I have some logs from my proxy. Inside it, there is a field that indicates the userid (userid) the user entered when authenticating.
I want to generate a report that shows me the top users, but I need to translate the userid to their real name from our OpenLDAP server.
I installed TA-LDAP, tried this, and it works. I put a simple search string to test:
user_id="myuserID" | ldap ldap_filter="uid=myuserID" attrs="givenname,sn"
and it works, returns a table with the username I want.
Now I need to make a search and return a table for all users I have, making stats for them, but I couldn't figure out how to pass the user_id dynamically to the ldap command.
For example, I tried to generate all log entries just translating the usernames:
user_id="myuserID" | ldap ldap_filter="uid=user_id" attrs="givenname,sn"
but internally the ldap command receives:
myldap:319 - using ldap_filter : uid=user_id
I have already tried the eval to generate a dynamically string, but didn't work. Anything I pass to ldap command is fixed and cannot be changed.
I've been thinking if it is possible to make a lookup to do the job, but I also did not manage to figure out how to do it. I know there is a myldap.py command in the bin folder of the plug-in, but how do I convert it to a lookup command?
Somebody have some tips to make it work?
Thanks a lot !
I wrote this app and will try to help you. Have you tried to run your search using a
user_id="myuserID" | ldap ldap_filter="uid=$user_id$" attrs="givenname,sn"
Hi MuS !
Thank you for the support !
I tried as you posted and it did not work. It is taking the literal string as parameter. Here is the log.
INFO myldap:319 - using ldap_filter : uid=$user_id$
HeHe, how dare you not taking the
Sorry for that - never thought of that use case! I'll have a look what can be done. Planing an update anyway.
Cannot give you a time frame when it will happen, but it will......
While I cannot do this with a lookup, I decided take a temporary approach with a scheduled search that takes ALL users from my OpenLDAP and generates a lookup table with: login, Name, so that I can use on my searches until I can search directly my server as a lookup.
Just to inform, I was writing another message with a problem I had trying to search. But I just realized what the problem is, but didn't figure out what to do to solve it. It seems that the sizelimit is being set as default to 55 entries. All my search were limited to this number. When I manually set it to 500 I get the results. I contacted the LDAP admin and he told me the max search configured on the server is 2000. So I think I will not be able to execute this new idea, since we have more than 10.000 users.
Any idea ???
You can set the
sizelimit by using the
| ldap server="foo" sizelimit="100"
BTW the default for
sizelimit is 10 not 55
I understand you wrote the Active Directory Add-on app. I have a question, I have a list of users that I need to pull ldap information on, is there a way I can do an inputlookup with ldap search? Let me know if that could be a possibility. I am trying to gather every attribute for these users and whether they are deactivated or not.
Thanking you for your time.
If you refer to the Active Directory add-on or SA-ldapserach https://splunkbase.splunk.com/app/1151/ I did not write that one. I haven't added the tokens into my app yet, but thanks for reminding me 😉