All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to run LDAP searches against multiple domains using the Splunk Support for Active Directory add-on?

ckillg
Path Finder
‎08-26-2015 01:05 PM

We have an environment in which our machine accounts are located in two domains, and our user accounts are located in another, separate domain. Also, the user domain is trusted by the machine domains, but the machine domains are not trusted by the user domain.

Is it possible to have Splunk do LDAP searches against all three domains?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

acharlieh
Influencer
‎08-29-2015 06:18 AM

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

View solution in original post

Reply
Solved! Jump to solution
Solution

acharlieh
Influencer
‎08-29-2015 06:18 AM

The documentation states that it is indeed possible to configure multiple domains with SA-ldapsearch. (With instructions on how to add and remove domains)

That's why ldapsearch has a domain parameter. Now if you're wanting to have searches against all three domains in the same Splunk search, this is where commands like append might be useful, but it depends on what you're actually trying to do with queries against all three domains will determine how you want to join the results, if you want to do such.

Furthermore, I am not an AD administrator, but depending on how the domains are set up, if all three domains are in the same forest, you may be able to configure SA-Ldapsearch to query the global catalog instead of each individual domain, thus being able to retrieve objects from one LDAP query instead of three. I'll defer to TechNet to explain more about the global catalog and how to use it.

Reply
Solved! Jump to solution

MuS
Legend
‎08-30-2015 03:21 PM

One reason I wrote this little add-on https://splunkbase.splunk.com/app/1852/ was the limitation of the older sa-ldapsearch app; also it uses the Python LDAP module. But it only works on *nix and not Windows....

0 Karma
Reply
Solved! Jump to solution

ckillg
Path Finder
‎08-28-2015 06:41 PM

help? anyone? PLEASE!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...