All Apps and Add-ons

How do you extract custom AD attributes with LDAPSEARCH?

glancaster
Path Finder

I've read the following from the SA-LDAPSearch documentation:

"By default, the command returns all user attributes."

I have found this to not be the case, as we have a custom attribute and the ldapsearch command will not extract it. I have also been unable to extract it with ldapfilter command.

We are able to query ldap via powershell and have the custom attribute returned but for some reason we are unable to get the Splunk add-on to return it.

Any ideas on how to get this custom attribute returned?

using version 2.0 of the add-on

logloganathan
Motivator

Hi glancaster,

Here there are two issues that why you was not able to display the custom attribute
1) custom attribute $customAttribute$ not available for the particular $cn$

2) Admin account not have permission to display the custom attribute. it need to be specified in the ACL( access control list). here you have check what admin account you are using to connect the ldap then you have to change the ACL setting for the Admin account in the LDAP server.

Thank you

0 Karma

MartinMcNutt
Communicator

Been awhile since I touched the command but here is an example from one of my searches that may help:

| ldapfilter domain=$domain$ search="(&(objectClass=user)(samAccountName=$SamAccountName$))" attrs="cn,displayName"

You can use the attrs= to pull in fields you want. In my example, I had to first figure out what domain the user belongs to and tell ldapfilter to pull up the users DisplayName and CN.

0 Karma

glancaster
Path Finder

Thank you, I should have mentioned I have tried |ldapsearch domain=$domain$ search=(cn=$cn$) attrs=$cn$,$customAttribute$

it returns the CN but not the custom attribute.

0 Karma

MartinMcNutt
Communicator

If we are talking about ActiveDirectory and Exchange CustomAttribute1-X. You have to refer to it by the Active Directory field name called extensionAttribute.

If you replace SamaccountName & Domain with your information you can try this search.

... | head 1 | eval SamAccountName="myid" | eval domain="mydomain" | ldapfilter domain=$domain$ search="(&(objectClass=user)(samAccountName=$SamAccountName$))" attrs="cn,displayName,extensionAttribute2" | table samAccountName cn displayName exten*

glancaster
Path Finder

No luck on that extensionAttribute field either.

Thank you.

0 Karma

MartinMcNutt
Communicator

I would skip splunk right now until you are certain of the field name.

When I need to snoop AD, I use Active Directory Explorer from Microsoft. Can be a bit hard to use if you are not familiar with AD. You may want to try last.

Your other option is to use the Advanced Features of Active directory users & Computers and click on the Attribute Editor tab. This will so all the values on a user account.

Note:This needs to be a Win2008 Domain lvl AND you need to navigate to the OU of user to see that tab. Searching for a user does bring that tab up.

glancaster
Path Finder

yea, I'm now looking at trying to extract all users with that attribute into a lookup table since we need to audit these users against our windows event logs. I will post the query here if I can get one that works.

Thanks for your help on this Martin!

0 Karma

glancaster
Path Finder

I will give this a go and let you know what gets returned. BTW this is a custom attribute and not a MS specific one if that makes a difference.

Thanks again.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...