All Apps and Add-ons

LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

jdunlea
Contributor

How do I run a search using ldapsearch which shows all members of a group, along with each member's sAMAccountName?

Currently, using LDAPGROUP (as shown below), we are only able to receive the basic CN for each member. However, I want to see the sAMAccount name for each user.

Anybody know how?

Search:

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))" | ldapgroup

Results show members of the group as follows:

CN=Doe John,OU=MyGroups,OU=Americas,OU=company,DC=ad,DC=company,DC=net 

I need to see a field for sAMAccountName also, for example:

DoeJo

Or something similar to that sAMAccountName.

Anyone got any ideas?!

0 Karma
1 Solution

malmoore
Splunk Employee
Splunk Employee

Hi,

We helped user jdunlea fix his problem.

It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)

The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.

I will be adding this note to a "best practices" page in the documentation.

View solution in original post

cblanton
Communicator

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))"
| ldapgroup
| table cn,member_dn,member_type,member_name

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi,

We helped user jdunlea fix his problem.

It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)

The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.

I will be adding this note to a "best practices" page in the documentation.

mbenwell
Communicator

A few ways I could think of doing it.

If you have the commonname of the group:

| ldapsearch domain="<domain>" search=(&(objectClass=group)(cn=<groupCommonName>)) attrs="member"
| mvexpand member
| ldapfilter domain="<domain>" search=(&(objectClass=user)(distinguishedName="$member$")) attrs="sAMAccountName"

The easiest but least efficient way if you have the distinguished name for the group (Warning, this may cause excessive load on AD, Thanks Andy!):

| ldapsearch domain="<domain>" search=(&(objectClass=user)(memberOf="<GroupDN>")) attrs=sAMAccountName

AndySplunks
Communicator

I'd recommend against using memberOf for your search. You'll be pulling every account on your domain and churning through the group memberships. You're basically pulling every single account on your domain. The Active Directory team at your site will likely be extremely upset.

That second search seems to be preferred by the Active Directory admins I've talked to.

mbenwell
Communicator

Thanks for that Andy! I've edited my answer.

acharlieh
Influencer

I'll admit I haven't used SA-ldapsearch yet, but according to its docs at least the sAMAccountName should be the member_name field in the output of the ldapgroup command?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...