Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Support for Active Directory: How to search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Support for Active Directory: How to search multiple basedns with ldapsearch?
Hello Splunkers,
I am working to build an LDAP search to list out all machines within a basedn. The problem is that the machines are spread out within multiple basedn=paths and not necessarily in a hierarchical order. I am finding that I need to specify exact statements to locate the systems.
I am able to query successfully within one DN but I am not yet able to specify multiple paths to look in for hostnames.
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_ET_UnblockAllowed,OU=Winx,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
The search above returns results, but when I try and add another basedn, the search just stalls out.
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" AND basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
What am I missing?
Thanks,
Lindsay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since ldapsearch by default does a subtree search you could just use basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" since that would cover both of the subtrees.
Also just dealing with LDAP your search can be simplified slightly to (&(objectClass=user)(objectClass=computer))
If you're wanting two subtrees but not others, you might be able to have a search filter that does some matching against the dn, offhand I think that'd look something like - EDIT: apparently wildcards in filters against DNs do not work at least with Active Directory: https://msdn.microsoft.com/en-us/library/ms684431(v=vs.85).aspx(&(objectClass=user)(objectClass=computer)(dn=*,OU=*_UnblockAllowed,*)) but I'd want to try it out in a LDAP GUI like Apache Directory Studio
Putting it all together, would this work?
| ldapsearch search="(&(objectClass=user)(objectClass=computer))" attrs="cn,objectCategory" basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not too familiar with the ldap search command, but you could try running a sub search or the mulitsearch command
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | append [ search | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn
OR
| multisearch [search | ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ] [ search | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn
Those should work the difference between these two search is that multiple search simultaneously and the first is a sub search which run serially.
Hop this helps. Dont forget to accept answer to help with with similar questions.
Enter the Agentic Era with Splunk AI Assistant for SPL 1.4
Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...
Accelerating Observability as Code with the Splunk AI Assistant
