All Apps and Add-ons

Add-on for LDAP: Why am I only getting a few attributes back from ldapsearch (from SA-ldapsearch 2.2.3 and Splunk 6.3.2)?

BlueSocket
Communicator

Hi!

I am using the ldapsearch command on my Splunk 6.3.2 system and SA-ldapsearch 2.2.3 and not getting all of the fields that I am expecting.

The command is:

| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"  attrs="sAMAccountName,displayName,givenName,sn,department,company,whenCreated"

When I run this, I get a set of records like:

{"sAMAccountName":"Jim.Hargreaves","givenName":"Jim","sn":"Hargreaves","whenCreated":"20150807092238.0Z","displayName":"Jim Hargreaves"}

And I have absolutely NO data in the department and company attributes, as expected.

Does anyone know why this might happen and how to fix it?

Kindest regards,

BlueSocket

1 Solution

BlueSocket
Communicator

I have found the fix and fixed it.

1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.

The document that I found that told me this was:

https://technet.microsoft.com/en-us/library/cc978012.aspx

I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!

View solution in original post

BlueSocket
Communicator

I have found the fix and fixed it.

1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.

The document that I found that told me this was:

https://technet.microsoft.com/en-us/library/cc978012.aspx

I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!

View solution in original post

gcusello
Legend

If you delete attrs="..." And leave
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
You'll see all the attributes.
Bye.
Giuseppe

0 Karma

BlueSocket
Communicator

I had already tried that one, sadly. If I use this string:

 | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"

I get:

 {"userAccountControl":["DONT_EXPIRE_PASSWD","NORMAL_ACCOUNT"],"memberOf":["CN=Special,OU=Security Groups,DC=my,DC=tld","CN=Domain Users,CN=Users,DC=my,DC=tld"],"givenName":"Jim","primaryGroupID":"513","whenCreated":"20150807092238.0Z","objectCategory":"CN=Person,CN=Schema,CN=Configuration,DC=my,DC=tld","name":"Jim Hargreaves","sAMAccountType":"NORMAL_USER_ACCOUNT","instanceType":["WRITE"],"objectSid":"S-1-5-21-3245572396-1783235147-58263765-1119","sAMAccountName":"Jim.Hargreaves","objectGUID":"a68b6b65-160c-4dc7-904d-ac394b475413","displayName":"Jim Hargreaves","whenChanged":"20161024145615.0Z","dSCorePropagationData":["20150917143232.0Z","20150807092238.0Z","16010101000000.0Z"],"cn":"Jim Hargreaves","userPrincipalName":"Jim.Hargreaves@my.tld","lastLogonTimestamp":"2016-10-24T14:33:34.178838Z","uSNCreated":"35254","objectClass":["top","person","organizationalPerson","user"],"distinguishedName":"CN=Jim Hargreaves,OU=Special Users,DC=my,DC=tld","sn":"Hargreaves","uSNChanged":"317679"}

It was because I was not getting enough that I tried using the attrs option.

0 Karma

gcusello
Legend

I used this search and runs displaying all fields!
Did you tried with another ldap client like jexplorer?
Bye.
Giuseppe

0 Karma

BlueSocket
Communicator

Not sure what JExplorer is and would it integrate into Splunk and the ldapsearch?

0 Karma

gcusello
Legend

No jexplorer is a tool (an LDAP client) that is useful to see what your LDAP share, maybe department and company aren't accessible.

Every way The correct way to access LDAP data from Splunk is the one you used.
You can also insert a token in you search: this is a search I inserted in one dashboard to have all the LDAP fields of a chosen Account Name
| ldapsearch search="(&(objectClass=user)(sAMAccountName=$Login$)(!(objectClass=computer)))

Bye.
Giuseppe

0 Karma

BlueSocket
Communicator

Giuseppe,

Yeah, I got that down last night before I finished and queried Active Directory. With JXplorer, it showed the data,

Hmmm.

Just thought, I am querying Active Directory 2012, not just LDAP. that might be the difference?

0 Karma

gcusello
Legend

Maybe, I'm not an expert of LDAP!
Bye.
Giuseppe

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!