All Apps and Add-ons

Splunk Support for Active Directory: Why does my search return results when specific sAMAccountName is given but not when removed?

ryandg
Communicator

I am trying to pull a list of all users yet when I run:

|ldapsearch domain=BLAH search="(objectClass=user)" attrs="sAMAccountName,givenName" 

it fails.

But if I run:

|ldapsearch domain=BLAH search="(&(objectClass=user)(sAMAccountName=user123))" attrs="sAMAccountName,givenName" 

It succeeds. Is there a timeout specification I need to add or something? The first query just says "no results" and says nothing
about any errors.

Any ideas?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

I can't explain why your first query doesn't work. It does work fine for me when I use exactly the same syntax.
What about the following alternative that filters out computers from the results and should provide you with the same functionality you are looking for?

| ldapsearch domain=BLAH search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,givenName"

Thanks,
J

0 Karma

ryandg
Communicator

This does the same thing as just objectClass unfortunately 😞

0 Karma

javiergn
SplunkTrust
SplunkTrust

What about limiting the number of accounts?

|ldapsearch domain=BLAH search="(objectClass=user)" limit=100 attrs="sAMAccountName,givenName" 

It might be timing out as you said

0 Karma

ryandg
Communicator

Yup -- that caused it to return results. However, now how do I change it so that it doesn't timeout on the larger query? Is the timeout something on the app side or is that on the domain controller side? It's strange because it used to run for ~hour without timing out and would return the tens of thousands of users I need it to but now it seems to just time out.

0 Karma

javiergn
SplunkTrust
SplunkTrust

See if the following helps: https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html

If your query takes 1 hour o more I would try some alternatives anyway:

  • See if you can be more specific in you ldap search filter. Maybe you can specify a base DN or filter out expired or disabled accounts, do not return object types you don't need such as computer or group, etc.
  • Connect to a different domain controller and see if that helps.
  • If you don't mind not having real-time ldap reporting I did use the following in the past and works great: 1.Schedule a scripted input that runs a PowerShell job every day (or whichever frequency you want) to export all your AD users and attributes into a csv 2.Create a CSV lookup in Splunk that uses the Users.csv created above 3.Stop using ldapsearch and enjoy your newer and faster (but not real-time) lookup
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...