All Apps and Add-ons
Highlighted

LDAP lookup instead of filter or search

Contributor

Hi,
I am trying to resolve user names within a multistage query using appends.
ldapsearch wants to be in its own query, and I have not found a way yet to make this work (see sample below).
ldapfilter is not useable as it will skip log entries for which the LDAP query does not return an entry.

index=x*auth "user NOT in sudoers"  | 
   [ | ldapsearch search="(sAMAccountName=$user$)" attrs="displayName" ] |
   lookup server.csv Server as host  OUTPUT SID |
append [search index=x*auth  "(su-l:auth): authentication failure;" |  
   [|ldapsearch search="(sAMAccountName=$ruser$)" attrs="displayName"] |
   lookup server.csv Server as host OUTPUT SID | rename ruser as user suUser as USER] | 
append [ search index=x*auth  "PAM * more authentication failures" | 
   [| ldapsearch search="(sAMAccountName=$suUser$)" attrs="displayName" ] |
   lookup server.csv Server as host OUTPUT SID | rename suUser as user  ] | 
sort _time | table  _time host SID process rhost user displayName USER

Any ideas?
thx
afx

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

SplunkTrust
SplunkTrust

Hi @afx,

Have you considered running a daily scheduled searches for grouping together all the ldapsearch results into a single lookup file ? or even into a kv-store ?
It will reduce the number of queries you run against your AD and will make the query above and similar queries way easier to create and maintain.

Cheers,
David

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

Contributor

Hi David,
I might try this as a last resort, but there are some organizational hurdles when trying to get the whole user base.
thx
afx

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

SplunkTrust
SplunkTrust

I don't mean get the whole user base, get the exact ones you are trying to query with ldapsearch, and have them all in one lookup 🙂 that way you wont have to run append multiple times 🙂

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

Contributor

I don't know which ones to query in advance...
So I need the whole user base.
Found a way to get it though.
thx
afx

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

SplunkTrust
SplunkTrust

awesome, could you please share your answer and accept it ? 🙂

0 Karma
Highlighted

Re: LDAP lookup instead of filter or search

Contributor

Ok, this is the query I used (copied from the Enterprise Security docs):

|ldapsearch search="(&(objectclass=user)(!(objectClass=computer)))" attrs="userAccountControl,sAMAccountName,personalTitle,displayName,givenName,sn,mail,telephoneNumber,mobile,manager,department,whenCreated,accountExpires"
|makemv userAccountControl
|search userAccountControl="NORMAL_ACCOUNT" 
|eval suffix=""
|eval priority="medium"
|eval category="normal"
|eval watchlist="false"
|eval endDate="" 
|table sAMAccountName,personalTitle,displayName,givenName,sn,suffix,mail,telephoneNumber,mobile,manager,priority,department,category,watchlist,whenCreated,endDate

This is run as a scheduled report at 4am to create AD-Users.csv
Then I can resolve user names and departments easily with the following lookup

| lookup AD-Users.csv sAMAccountName as TargetUserName OUTPUT displayName, department
| fillnull value="N/A"

And the fillnull makes sure that empty fields do not exclude lines in the stats or table output.

cheers
afx

View solution in original post

Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.