Hi!
I am using the ldapsearch command on my Splunk 6.3.2 system and SA-ldapsearch 2.2.3 and not getting all of the fields that I am expecting.
The command is:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="sAMAccountName,displayName,givenName,sn,department,company,whenCreated"
When I run this, I get a set of records like:
{"sAMAccountName":"Jim.Hargreaves","givenName":"Jim","sn":"Hargreaves","whenCreated":"20150807092238.0Z","displayName":"Jim Hargreaves"}
And I have absolutely NO data in the department and company attributes, as expected.
Does anyone know why this might happen and how to fix it?
Kindest regards,
BlueSocket
I have found the fix and fixed it.
1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.
The document that I found that told me this was:
https://technet.microsoft.com/en-us/library/cc978012.aspx
I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!
I have found the fix and fixed it.
1) I found that the AD Server is a Global Catalog server within AD Sites and Services.
2) Then I found that there are two different ports that you can query AD on - 3268 and 389:
a) If you query AD on 3268, then you are querying the Global Catalog, but
b) If you query AD on 389, you are querying the Domain.
The document that I found that told me this was:
https://technet.microsoft.com/en-us/library/cc978012.aspx
I found that the LDAP App was querying on port 3268. When I changed it to query 389, the queries worked!
If you delete attrs="..." And leave
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
You'll see all the attributes.
Bye.
Giuseppe
I had already tried that one, sadly. If I use this string:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
I get:
{"userAccountControl":["DONT_EXPIRE_PASSWD","NORMAL_ACCOUNT"],"memberOf":["CN=Special,OU=Security Groups,DC=my,DC=tld","CN=Domain Users,CN=Users,DC=my,DC=tld"],"givenName":"Jim","primaryGroupID":"513","whenCreated":"20150807092238.0Z","objectCategory":"CN=Person,CN=Schema,CN=Configuration,DC=my,DC=tld","name":"Jim Hargreaves","sAMAccountType":"NORMAL_USER_ACCOUNT","instanceType":["WRITE"],"objectSid":"S-1-5-21-3245572396-1783235147-58263765-1119","sAMAccountName":"Jim.Hargreaves","objectGUID":"a68b6b65-160c-4dc7-904d-ac394b475413","displayName":"Jim Hargreaves","whenChanged":"20161024145615.0Z","dSCorePropagationData":["20150917143232.0Z","20150807092238.0Z","16010101000000.0Z"],"cn":"Jim Hargreaves","userPrincipalName":"Jim.Hargreaves@my.tld","lastLogonTimestamp":"2016-10-24T14:33:34.178838Z","uSNCreated":"35254","objectClass":["top","person","organizationalPerson","user"],"distinguishedName":"CN=Jim Hargreaves,OU=Special Users,DC=my,DC=tld","sn":"Hargreaves","uSNChanged":"317679"}
It was because I was not getting enough that I tried using the attrs option.
I used this search and runs displaying all fields!
Did you tried with another ldap client like jexplorer?
Bye.
Giuseppe
Not sure what JExplorer is and would it integrate into Splunk and the ldapsearch?
No jexplorer is a tool (an LDAP client) that is useful to see what your LDAP share, maybe department and company aren't accessible.
Every way The correct way to access LDAP data from Splunk is the one you used.
You can also insert a token in you search: this is a search I inserted in one dashboard to have all the LDAP fields of a chosen Account Name
| ldapsearch search="(&(objectClass=user)(sAMAccountName=$Login$)(!(objectClass=computer)))
Bye.
Giuseppe
Giuseppe,
Yeah, I got that down last night before I finished and queried Active Directory. With JXplorer, it showed the data,
Hmmm.
Just thought, I am querying Active Directory 2012, not just LDAP. that might be the difference?
Maybe, I'm not an expert of LDAP!
Bye.
Giuseppe