All Apps and Add-ons

Ldapsearch not able to get member;range0-1499 in Splunk query.

raghu_vedic
Path Finder

Hi,

Please find the query

| ldapsearch search="(&(objectCategory=group))"    attrs="member;range0-1499" | table member;range0-1499.

Note: I am not getting empty in member attribute

0 Karma
1 Solution

acharlieh
Influencer

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields:

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

View solution in original post

acharlieh
Influencer

Doing some tests myself, it seems that SA-ldapsearch doesn't properly handle attribute range retrieval with active directory. As @richgalloway suggests you should file a bug report for it.

On the plus side, given that range=0-1499 is the first retrieval set, and that ldapsearch generates a JSON event, and it seems to actually retrieve the range attribute... you can use spath to extract the ranged field, and grab it:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member" | spath | table "member;range=0-1499{}"

Obviously it doesn't work for any other ranges:

| ldapsearch search="(cn=ReallyBigGroup)" attrs="member;range=1500-*" | spath

Yields:

External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: member;range=1500-* "

(which now i'm looking through the python script to figure out why it can't parse the attribute range)

EDIT: it doesn't help that it seems that the packaged version of the ldap3 library that's packaged is really old... version 0.9.5.3 which isn't a tagged version in github... 0.9.5.2 was released 4 years ago.

The first error seems to come from SA-ldapsearch/bin/packages/app/init.py:437
but then if you edit the code to bypass that you run smack into an error from: SA-ldapsearch/bin/packages/ldap3/operation/search.py:315

This is of course looking at SA-ldapsearch v2.1.6

logloganathan
Motivator

Could you please use this query

| ldapsearch search="(&(objectCategory=group))" limit=1500 attrs="member" | table member

Also Please let us know if you looking for attrs=member0 attrs=member1............attrs=member1499 as range value

0 Karma

richgalloway
SplunkTrust
SplunkTrust

"member;range0-1499" is not a typical Splunk field name (semicolons and hyphens are not permitted). Verify the name using the query | ldapsearch search="(&(objectCategory=group))" attrs="member;range0-1499" | table *.
Also, check the log file (SA-ldapsearch.log) to see if any errors were reported.

---
If this reply helps you, Karma would be appreciated.
0 Karma

raghu_vedic
Path Finder

Hi , Thanks for your reply..

It sending error as
Invalid attribute.

But I can see member;range0-1499 in events.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I suspect the app can handle the member attribute, but doesn't like the range qualifier. You should probably contact Splunk support for assistance or to file a bug report.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...