All Apps and Add-ons

LDAPsearch - How do I show members of a group, along with each members sAMAccountName field (not included in ldapgroup command)?

jdunlea
Contributor

How do I run a search using ldapsearch which shows all members of a group, along with each member's sAMAccountName?

Currently, using LDAPGROUP (as shown below), we are only able to receive the basic CN for each member. However, I want to see the sAMAccount name for each user.

Anybody know how?

Search:

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))" | ldapgroup

Results show members of the group as follows:

CN=Doe John,OU=MyGroups,OU=Americas,OU=company,DC=ad,DC=company,DC=net 

I need to see a field for sAMAccountName also, for example:

DoeJo

Or something similar to that sAMAccountName.

Anyone got any ideas?!

0 Karma
1 Solution

malmoore
Splunk Employee
Splunk Employee

Hi,

We helped user jdunlea fix his problem.

It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)

The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.

I will be adding this note to a "best practices" page in the documentation.

View solution in original post

cblanton
Communicator

| ldapsearch domain="default" search="(&(objectClass=group)(cn=my_group))"
| ldapgroup
| table cn,member_dn,member_type,member_name

0 Karma

malmoore
Splunk Employee
Splunk Employee

Hi,

We helped user jdunlea fix his problem.

It turns out that, in his example, the group he was referencing was in a parent domain and the users were in child domains. This was confusing SA-LDAPsearch because while it does follow referrals, it does not follow continuation referrals (referrals where AD says the member data is on another server.)

The way to fix the problem is to have SA-LDAPsearch use the global catalog port (port 3268/3269). Once he queried on that port, the member data populated as desired.

I will be adding this note to a "best practices" page in the documentation.

mbenwell
Communicator

A few ways I could think of doing it.

If you have the commonname of the group:

| ldapsearch domain="<domain>" search=(&(objectClass=group)(cn=<groupCommonName>)) attrs="member"
| mvexpand member
| ldapfilter domain="<domain>" search=(&(objectClass=user)(distinguishedName="$member$")) attrs="sAMAccountName"

The easiest but least efficient way if you have the distinguished name for the group (Warning, this may cause excessive load on AD, Thanks Andy!):

| ldapsearch domain="<domain>" search=(&(objectClass=user)(memberOf="<GroupDN>")) attrs=sAMAccountName

AndySplunks
Communicator

I'd recommend against using memberOf for your search. You'll be pulling every account on your domain and churning through the group memberships. You're basically pulling every single account on your domain. The Active Directory team at your site will likely be extremely upset.

That second search seems to be preferred by the Active Directory admins I've talked to.

mbenwell
Communicator

Thanks for that Andy! I've edited my answer.

acharlieh
Influencer

I'll admit I haven't used SA-ldapsearch yet, but according to its docs at least the sAMAccountName should be the member_name field in the output of the ldapgroup command?

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...