All Apps and Add-ons

ldapsearch is not parsing info back from AD well

eric_budke
Path Finder

Trying the latest (2.0.1) on 6.2.1. Takes incredibly long compared to an old version and it isn't parsing itself well.
i.e. Returned fields on
|ldapsearch domain=nb.com search="(&(objectclass=user)(!(objectClass=computer)))"
|search sAMAccountName=someusername
|table *
accountExpires cn codePage countryCode dSCorePropagationData description displayName distinguishedName extensionAttribute15 givenName host instanceType lastLogonTimestamp name objectCategory objectClass objectGUID objectSid primaryGroupID pwdLastSet sAMAccountName sAMAccountType uSNChanged uSNCreated userAccountControl userPrincipalName whenChanged whenCreated _raw _time

vs Old version, same query on same machine....and I removed a whole bunch. Also returns in ~1minute compared to 15+ for the newer version.

accountExpires adminCount altRecipient altRecipientBL assistant authOrig authOrigBL badPasswordTime badPwdCount businessCategory c cn co codePage company countryCode dSCorePropagationData deletedItemFlags delivContLength deliverAndRedirect department description directReports displayName displayNamePrintable distinguishedName dn employeeID extensionAttribute1 extensionAttribute10 extensionAttribute11 extensionAttribute12 extensionAttribute13 extensionAttribute14 extensionAttribute15 extensionAttribute2 extensionAttribute3 extensionAttribute4 extensionAttribute5 extensionAttribute6 extensionAttribute7 extensionAttribute9 facsimileTelephoneNumber garbageCollPeriod givenName homeDirectory homeDrive homeMDB homeMTA homePhone host info initials instanceType internetEncoding lastKnownParent lastLogoff lastLogon lastLogonTimestamp legacyExchangeDN lockoutTime logonCount logonHours mail mailNickname managedObjects manager memberOf mobile msNPAllowDialin msRTCSIP-DeploymentLocator msRTCSIP-FederationEnabled msRTCSIP-InternetAccessEnabled msRTCSIP-Line msRTCSIP-LineServer msRTCSIP-OptionFlags msRTCSIP-OriginatorSid msRTCSIP-PrimaryHomeServer msRTCSIP-PrimaryUserAddress msRTCSIP-UserEnabled msRTCSIP-UserPolicies msRTCSIP-UserPolicy msTSExpireDate msTSLicenseVersion msTSManagingLS name objectCategory objectClass objectGUID objectSid otherMobile otherTelephone pager personalTitle physicalDeliveryOfficeName pwdLastSet sAMAccountName sAMAccountType scriptPath securityProtocol servicePrincipalName showInAddressBook showInAdvancedViewOnly sn source sourcetype st streetAddress submissionContLength telephoneNumber thumbnailPhoto title uSNChanged uSNCreated userAccountControl userCertificate userParameters userPassword userPrincipalName userWorkstations wWWHomePage whenChanged whenCreated _raw _time

0 Karma

wyodoc1
Explorer

We found that unless you configure default to be your domain searches took forever, once we set default to our domain.
Splunk are Linux guys and sometime forget that us windows guys assume domain name means domain name, not in this case.

Where it says domain name=default, that's just a label. Leave domain name = default, your domain name goes in alternative domain name.
Previously even with some other label configured and tested to point to our domain, the search would takes 15-20 minutes. Once changed, much less than 1 minute for large searches.

0 Karma

dhorn
Path Finder

While I don't have an answer to your issue, I'd like to share that I am also experiencing the exact same issues.

I recently deployed Splunk 6.2.1 for a new customer, and with using the 2.0.1 version of SA-ldapsearch I am having issues pulling certain attributes from AD user objects. In this specific case, I need SA-ldapsearch to generate an automated lookup for the Identities table for Splunk ES.

After much time and trouble, I have decided just to remove 2.0.1 and install 1.1.13.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...