Are you a member of the Splunk Community?
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Add-on for LDAP: Why am I only getting a few attri...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
I am using the ldapsearch command on my Splunk 6.3.2 system and SA-ldapsearch 2.2.3 and not getting all of the fields that I am expecting.
The command is:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,department,company,whenCreated"
When I run this, I get a set of records like:
{"sAMAccountName":"Jim.Hargreaves","givenName":"Jim","sn":"Hargreaves","whenCreated":"20150807092238.0Z","displayName":"Jim Hargreaves"}
And I have absolutely NO data in the department and company attributes, as expected.
Does anyone know why this might happen and how to fix it?
Kindest regards,
BlueSocket
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the fix and fixed it.
1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.
The document that I found that told me this was:
https://technet.microsoft.com/en-us/library/cc978012.aspx
I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have found the fix and fixed it.
1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.
The document that I found that told me this was:
https://technet.microsoft.com/en-us/library/cc978012.aspx
I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you delete attrs="..." And leave
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
You'll see all the attributes.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I had already tried that one, sadly. If I use this string:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
I get:
{"userAccountControl":["DONT_EXPIRE_PASSWD","NORMAL_ACCOUNT"],"memberOf":["CN=Special,OU=Security Groups,DC=my,DC=tld","CN=Domain Users,CN=Users,DC=my,DC=tld"],"givenName":"Jim","primaryGroupID":"513","whenCreated":"20150807092238.0Z","objectCategory":"CN=Person,CN=Schema,CN=Configuration,DC=my,DC=tld","name":"Jim Hargreaves","sAMAccountType":"NORMAL_USER_ACCOUNT","instanceType":["WRITE"],"objectSid":"S-1-5-21-3245572396-1783235147-58263765-1119","sAMAccountName":"Jim.Hargreaves","objectGUID":"a68b6b65-160c-4dc7-904d-ac394b475413","displayName":"Jim Hargreaves","whenChanged":"20161024145615.0Z","dSCorePropagationData":["20150917143232.0Z","20150807092238.0Z","16010101000000.0Z"],"cn":"Jim Hargreaves","userPrincipalName":"Jim.Hargreaves@my.tld","lastLogonTimestamp":"2016-10-24T14:33:34.178838Z","uSNCreated":"35254","objectClass":["top","person","organizationalPerson","user"],"distinguishedName":"CN=Jim Hargreaves,OU=Special Users,DC=my,DC=tld","sn":"Hargreaves","uSNChanged":"317679"}
It was because I was not getting enough that I tried using the attrs option.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used this search and runs displaying all fields!
Did you tried with another ldap client like jexplorer?
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not sure what JExplorer is and would it integrate into Splunk and the ldapsearch?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No jexplorer is a tool (an LDAP client) that is useful to see what your LDAP share, maybe department and company aren't accessible.
Every way The correct way to access LDAP data from Splunk is the one you used.
You can also insert a token in you search: this is a search I inserted in one dashboard to have all the LDAP fields of a chosen Account Name
| ldapsearch search="(&(objectClass=user)(sAMAccountName=$Login$)(!(objectClass=computer)))
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Giuseppe,
Yeah, I got that down last night before I finished and queried Active Directory. With JXplorer, it showed the data,
Hmmm.
Just thought, I am querying Active Directory 2012, not just LDAP. that might be the difference?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe, I'm not an expert of LDAP!
Bye.
Giuseppe
.conf25 Global Broadcast: Don’t Miss a Moment
Observe and Secure All Apps with Splunk
What's New in Splunk Observability - August 2025
