Re: How does one use an OR ldap query in ldapfilte...

tomcochran · ‎04-06-2016

Example:
Splunk does not like the | in the ldap query

| ldapfilter domain=DIR search="(|(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

Also does not work to escape it:

| ldapfilter domain=DIR search="(\|(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

javiergn · ‎04-06-2016

Take a look at this: https://tools.ietf.org/search/rfc2254

   If a value should contain any of the following characters

           Character       ASCII value
           ---------------------------
           *               0x2a
           (               0x28
           )               0x29
           \               0x5c
           NUL             0x00

   the character must be encoded as the backslash '\' character (ASCII
   0x5c) followed by the two hexadecimal digits representing the ASCII
   value of the encoded character. The case of the two hexadecimal
   digits is not significant.

   This simple escaping mechanism eliminates filter-parsing ambiguities
   and allows any filter that can be represented in LDAP to be
   represented as a NUL-terminated string. Other characters besides the
   ones listed above may be escaped using this mechanism, for example,
   non-printing characters.

Specifically this:

Other characters besides the ones listed above may be escaped using this mechanism, for example, non-printing characters.

Therefore I would try the following. Please let me know if works as I don't have a test lab to verify:

| ldapfilter domain=DIR search="(\7c(sAMAccountName=$User$)(objectSid=$SID$))" attrs="cn,objectSid"

How does one use an OR ldap query in ldapfilter?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases