All Apps and Add-ons

Is it possible to run LDAP searches against multiple domains using the Splunk Support for Active Directory add-on?

ckillg
Path Finder

We have an environment in which our machine accounts are located in two domains, and our user accounts are located in another, separate domain. Also, the user domain is trusted by the machine domains, but the machine domains are not trusted by the user domain.

Is it possible to have Splunk do LDAP searches against all three domains?

0 Karma
1 Solution

acharlieh
Influencer

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

View solution in original post

acharlieh
Influencer

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

MuS
SplunkTrust
SplunkTrust

One reason I wrote this little add-on https://splunkbase.splunk.com/app/1852/ was the limitation of the older sa-ldapsearch app; also it uses the Python LDAP module. But it only works on *nix and not Windows....

0 Karma

ckillg
Path Finder

help? anyone? PLEASE!

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...