How does one use an OR ldap query in ldapfilter?

tomcochran · ‎04-06-2016

Example:
Splunk does not like the | in the ldap query

| ldapfilter domain=DIR search="(|(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

Also does not work to escape it:

| ldapfilter domain=DIR search="(\|(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

javiergn · ‎04-06-2016

Take a look at this: https://tools.ietf.org/search/rfc2254

   If a value should contain any of the following characters

           Character       ASCII value
           ---------------------------
           *               0x2a
           (               0x28
           )               0x29
           \               0x5c
           NUL             0x00

   the character must be encoded as the backslash '\' character (ASCII
   0x5c) followed by the two hexadecimal digits representing the ASCII
   value of the encoded character. The case of the two hexadecimal
   digits is not significant.

   This simple escaping mechanism eliminates filter-parsing ambiguities
   and allows any filter that can be represented in LDAP to be
   represented as a NUL-terminated string. Other characters besides the
   ones listed above may be escaped using this mechanism, for example,
   non-printing characters.

Specifically this:

Other characters besides the ones listed above may be escaped using this mechanism, for example, non-printing characters.

Therefore I would try the following. Please let me know if works as I don't have a test lab to verify:

| ldapfilter domain=DIR search="(\7c(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

How does one use an OR ldap query in ldapfilter?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?