Splunk Support for Active Directory: How to search...

lbogle · ‎06-17-2015

Hello Splunkers,

I am working to build an LDAP search to list out all machines within a basedn. The problem is that the machines are spread out within multiple basedn=paths and not necessarily in a hierarchical order. I am finding that I need to specify exact statements to locate the systems.
I am able to query successfully within one DN but I am not yet able to specify multiple paths to look in for hostnames.

| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_ET_UnblockAllowed,OU=Winx,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn

The search above returns results, but when I try and add another basedn, the search just stalls out.

| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" AND basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn

What am I missing?
Thanks,
Lindsay

acharlieh · ‎06-17-2015

Since ldapsearch by default does a subtree search you could just use basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" since that would cover both of the subtrees.

Also just dealing with LDAP your search can be simplified slightly to (&(objectClass=user)(objectClass=computer))

If you're wanting two subtrees but not others, you might be able to have a search filter that does some matching against the dn, offhand I think that'd look something like (&(objectClass=user)(objectClass=computer)(dn=*,OU=*_UnblockAllowed,*)) but I'd want to try it out in a LDAP GUI like Apache Directory Studio - EDIT: apparently wildcards in filters against DNs do not work at least with Active Directory: https://msdn.microsoft.com/en-us/library/ms684431(v=vs.85).aspx

Putting it all together, would this work?

| ldapsearch search="(&(objectClass=user)(objectClass=computer))" attrs="cn,objectCategory" basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn

bmacias84 · ‎06-17-2015

I am not too familiar with the ldap search command, but you could try running a sub search or the mulitsearch command

| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | append [ search  | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn

OR

 | multisearch   [search | ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ] [ search  | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn

Those should work the difference between these two search is that multiple search simultaneously and the first is a sub search which run serially.

Hop this helps. Dont forget to accept answer to help with with similar questions.

Splunk Support for Active Directory: How to search multiple basedns with ldapsearch?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Splunk Support for Active Directory: How to search multiple basedns with ldapsearch?

Fun with Regular Expression - multiples of nine

[Live Demo] Watch SOC transformation in action with the reimagined Splunk Enterprise ...

What’s New & Next in Splunk SOAR