I am trying to pull a list of all users yet when I run:
|ldapsearch domain=BLAH search="(objectClass=user)" attrs="sAMAccountName,givenName"
But if I run:
|ldapsearch domain=BLAH search="(&(objectClass=user)(sAMAccountName=user123))" attrs="sAMAccountName,givenName"
It succeeds. Is there a timeout specification I need to add or something? The first query just says "no results" and says nothing
about any errors.
I can't explain why your first query doesn't work. It does work fine for me when I use exactly the same syntax.
What about the following alternative that filters out computers from the results and should provide you with the same functionality you are looking for?
| ldapsearch domain=BLAH search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,givenName"
Yup -- that caused it to return results. However, now how do I change it so that it doesn't timeout on the larger query? Is the timeout something on the app side or is that on the domain controller side? It's strange because it used to run for ~hour without timing out and would return the tens of thousands of users I need it to but now it seems to just time out.
See if the following helps: https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html
If your query takes 1 hour o more I would try some alternatives anyway: