All Apps and Add-ons

Is it possible to run LDAP searches against multiple domains using the Splunk Support for Active Directory add-on?

ckillg
Path Finder

We have an environment in which our machine accounts are located in two domains, and our user accounts are located in another, separate domain. Also, the user domain is trusted by the machine domains, but the machine domains are not trusted by the user domain.

Is it possible to have Splunk do LDAP searches against all three domains?

0 Karma
1 Solution

acharlieh
Influencer

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

View solution in original post

acharlieh
Influencer

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

MuS
Legend

One reason I wrote this little add-on https://splunkbase.splunk.com/app/1852/ was the limitation of the older sa-ldapsearch app; also it uses the Python LDAP module. But it only works on *nix and not Windows....

0 Karma

ckillg
Path Finder

help? anyone? PLEASE!

0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...