All Apps and Add-ons

inputlookup in an ldapsearch

Ed_Alias
Path Finder

Hi, i want to list members of a group and then list their groups in active directory,

for that i have a lookup with all users, i request and format my list so it is nice for the ldap search :

|inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"

then i make my ldapsearch, the "static" version is as follow :

| ldapsearch search="(&(objectClass=user)(|(cn=*user1*)(cn=*user2*)(cn=*user3*))(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

so the automated version should be

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format "|" "(" "(" ")" " " ")"])(!(objectClass=computer)))" 

    |ldapfetch dn=memberOf attrs="cn,description"
    |table sAMAccountName,cn,description
    |rename sAMAccountName as nom
      | sort + nom

the problem is i get this error :

Error in 'SearchParser': Missing a search command before '"'. Error at position '131' of search query '|ldapsearch search="(&(objectClass=user)(|[ |inpu...{snipped} {errorcontext = format "|" "(" "(" "}'.

like splunk is waiting a search cmd in order to do an inputlook inside and ldapsearch ..

any way around ?

Thanks.

0 Karma
1 Solution

woodcock
Esteemed Legend

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"

View solution in original post

0 Karma

woodcock
Esteemed Legend

You need to escape the double-quotes with backslash ( \) like this:

| ldapsearch search="(&(objectClass=user)([ |inputlookup Domaine_LOL | search memberOf=*team_1* | table sAMAccountName | format \"|\" \"(\" \"(\" \")\" \" \" \")\"])(!(objectClass=computer)))"
0 Karma

Ed_Alias
Path Finder

Hi, you were right the escape did things better, so request is now interprated but i still get a "bad filter" Error.

i finally found i was wrong on the way i do my request, i found a much easyer way to achieve what i need with ldapfetch !

i ldapsearch the users members of the group i need and then lists their group memberships, ldapfetch then go get cn and description of groups, muuuch better 🙂

| ldapsearch domain="default" search="(&(objectClass=user)(cn=*))" attrs="sAMAccountName,mail,memberOf"
| search memberOf="CN=Team_1,OU=Groupes,OU=...,OU=....,OU=Users,DC=domain,DC=com" 
|mvexpand memberOf |ldapfetch dn=memberOf attrs="cn,description"
| table sAMAccountName mail cn description
| rename sAMAccountName  AS user
| rename cn AS group_name

thanks for your help 🙂

0 Karma

woodcock
Esteemed Legend

Be sure to click Accept on the answer to close the question.

0 Karma

gcusello
Legend

there is a pipe before the square parentheses .
Bye.
Giuseppe

0 Karma

Ed_Alias
Path Finder

hi,

thanks i did a bad copy in my post, but it doesnt solve the problem.

(i do reinject this needed pipe with the format cmd inside the subsearch)

0 Karma
Get Updates on the Splunk Community!

This Week's Community Digest - Splunk Community Happenings [9.26.22]

Get the latest news and updates from the Splunk Community here! Upcoming User Group Events! 👏 Check ...

BSides Splunk 2022 - The Call for Papers is now Open!

TLDR; Main Site: https://bsidessplunk.com CFP Site: https://bsidessplunk.com/cfp CFP Opens: December 15th, ...

Sending Metrics to Splunk Enterprise With the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...