All Apps and Add-ons

Ldapsearch not able to get member;range0-1499 in Splunk query.

raghu_vedic
Path Finder

Hi,

Please find the query

| ldapsearch search="(&(objectCategory=group))"    attrs="member;range0-1499" | table member;range0-1499.

Note: I am not getting empty in member attribute

0 Karma
1 Solution

acharlieh
Influencer

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields:

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

View solution in original post

acharlieh
Influencer

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields:

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

logloganathan
Motivator

Could you please use this query

| ldapsearch search="(&(objectCategory=group))" limit=1500 attrs="member" | table member

Also Please let us know if you looking for attrs=member0 attrs=member1............attrs=member1499 as range value

0 Karma

richgalloway
SplunkTrust
SplunkTrust

"member;range0-1499" is not a typical Splunk field name (semicolons and hyphens are not permitted). Verify the name using the query | ldapsearch search="(&(objectCategory=group))" attrs="member;range0-1499" | table *.
Also, check the log file (SA-ldapsearch.log) to see if any errors were reported.

---
If this reply helps you, Karma would be appreciated.
0 Karma

raghu_vedic
Path Finder

Hi , Thanks for your reply..

It sending error as
Invalid attribute.

But I can see member;range0-1499 in events.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suspect the app can handle the member attribute, but doesn't like the range qualifier. You should probably contact Splunk support for assistance or to file a bug report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...