All Apps and Add-ons

Splunk Support for Active Directory: Why does my search return results when specific sAMAccountName is given but not when removed?

Communicator

I am trying to pull a list of all users yet when I run:

|ldapsearch domain=BLAH search="(objectClass=user)" attrs="sAMAccountName,givenName" 

it fails.

But if I run:

|ldapsearch domain=BLAH search="(&(objectClass=user)(sAMAccountName=user123))" attrs="sAMAccountName,givenName" 

It succeeds. Is there a timeout specification I need to add or something? The first query just says "no results" and says nothing
about any errors.

Any ideas?

0 Karma

SplunkTrust
SplunkTrust

Hi,

I can't explain why your first query doesn't work. It does work fine for me when I use exactly the same syntax.
What about the following alternative that filters out computers from the results and should provide you with the same functionality you are looking for?

| ldapsearch domain=BLAH search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,givenName"

Thanks,
J

0 Karma

Communicator

This does the same thing as just objectClass unfortunately 😞

0 Karma

SplunkTrust
SplunkTrust

What about limiting the number of accounts?

|ldapsearch domain=BLAH search="(objectClass=user)" limit=100 attrs="sAMAccountName,givenName" 

It might be timing out as you said

0 Karma

Communicator

Yup -- that caused it to return results. However, now how do I change it so that it doesn't timeout on the larger query? Is the timeout something on the app side or is that on the domain controller side? It's strange because it used to run for ~hour without timing out and would return the tens of thousands of users I need it to but now it seems to just time out.

0 Karma

SplunkTrust
SplunkTrust

See if the following helps: https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html

If your query takes 1 hour o more I would try some alternatives anyway:

  • See if you can be more specific in you ldap search filter. Maybe you can specify a base DN or filter out expired or disabled accounts, do not return object types you don't need such as computer or group, etc.
  • Connect to a different domain controller and see if that helps.
  • If you don't mind not having real-time ldap reporting I did use the following in the past and works great: 1.Schedule a scripted input that runs a PowerShell job every day (or whichever frequency you want) to export all your AD users and attributes into a csv 2.Create a CSV lookup in Splunk that uses the Users.csv created above 3.Stop using ldapsearch and enjoy your newer and faster (but not real-time) lookup
0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!