Splunk Enterprise Security

How to properly escape a DN (with commas) for ldapsearch?

Lowell
Super Champion

I'm trying to make ldapfilter augment my results. I have a DN that I'm trying to resolve to an account name (sAMAccountName). I've simplified by search down to isolate the problem:

* | head 1 | eval x="CN=Doe\, John,OU=Dept,DC=domain,DC=com" | table x | ldapfilter domain=domain.com search="(dn=$x$)" attrs="sAMAccountName"

When I run this, I get the following errors:

ERROR: com.unboundid.ldap.sdk.LDAPException: Invalid hex character ',' encountered at position 11.
External search command 'ldapfilter' returned error code 1. Script output = "x,sAMAccountName,__mv_sAMAccountName,dn "

This works if I do a lookup on other attributes. Do I have to escape or sanitize values before I pass them into ldapfilter?

Notes:

I'm using ldapsearch 1.1.3 (because 2.0.0 is still too buggy).

My actual use-case is building an identity list for ES using Active Directory. I've started with the example search provided in the docs.
According to the docs the "manageBy" field should be the user name of the manager, but the "manager" attribute contains the DN of the manager not the sAMAccountName.

0 Karma

ccone
New Member

Little late to the party here but I was experiencing the same issue and found a workaround. This might have been updated in newer versions of the ldapfilter, so I'm not sure if this is relevant anymore.

In this case, the issue seems to arise from "\" needing to be escaped - as you've alluded to. "(" and ")" within the DN can also cause the same issue.

I did a few evals to just replace those characters with their LDAP escape character equivalents. More info on escaping LDAP characters can be found here.

So in your case, I think it'd look something like the following:

 * | head 1 | eval x="CN=Doe\, John,OU=Dept,DC=domain,DC=com"
| eval removeBackS = replace(x,"\\\\","\5c") 
| eval removeOpPer = replace(removeBackS,"\\(", "\28") 
| eval removeClPer = replace(removeOpPer,"\\)", "\29")
| rename removeClPer as final
| ldapfilter domain=domain.com search="(distinguishedName=$final$)" attrs="sAMAccountName"

This will make your DN string look somewhat weird ("CN=Doe\5c, John,OU=Dept,DC=domain,DC=com") but should resolve in the LDAP filter.

Hopefully this will help someone out in the future!

0 Karma

rmarcum
Explorer

When setting up the App using the Configuration GUI for "Splunk for Active Directory Support", v2.1.2, I find that the backslash escaping a comma within CN text works perfectly in the Bind DN string for authentication. A little off the focus of the question, but related to syntax solutions in general Splunk and this App.

0 Karma

woodcock
Esteemed Legend

I am having this same problem; did you ever figure out how to make it work?

0 Karma
Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...