All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ldapsearch not getting all key/properties/fields from AD

bohrasaurabh
Communicator
‎10-01-2015 08:11 AM

In our environment when we run the powershell command to get a user's properties on AD server by running the below command we get 168 keys/properties/fields

Get-ADUser <username> -Properties *

However when I use ldapsearch command from Splunk for the same user I only get 83 properties.
| ldapsearch domain=mydomain search="(&(objectClass=user)(sAMAccountName=username))"

Some of the properties which are missing and we are interested are accountExpires, badPwdCount, scriptPath which are mentioned in the below question.

http://answers.splunk.com/answers/206725/ldapsearch-is-not-parsing-info-back-from-ad-well.html

I am seeing the above scenario on both (1.1.13 and 2.1.1) release of SA-ldapsearch. Am I missing some configuration which will fetch the missing properties?

0 Karma
Reply

lmaclean
Path Finder
‎01-03-2018 07:53 PM

Hi Kozanic,

Not sure why it only returns some results if doing just a basic search but if the attribute is in the LDAP schema then ldapsearch will pick it up, you just need to place the extra fields into a table output

e.g.

| table sAMAccountName, personalTitle, displayName, ..., pwdLastSet, badPasswordTime, badPwdCount, logonCount, etc....
0 Karma
Reply

Kozanic
Path Finder
‎01-03-2018 09:06 PM

Thanks.

I actually found that the port you use to query on also affects the number of attributes returned.

I think the default returns less - but is slightly faster. I have updated to use port 389 which seems to return a lot more - but does take a little longer.

Reply

Kozanic
Path Finder
‎01-01-2018 07:15 PM

Hi bohrasaurabh,

Just wondering if you ever figured this one out?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...