Splunk Enterprise Security

How to properly escape a DN (with commas) for ldapsearch?

Super Champion

I'm trying to make ldapfilter augment my results. I have a DN that I'm trying to resolve to an account name (sAMAccountName). I've simplified by search down to isolate the problem:

* | head 1 | eval x="CN=Doe\, John,OU=Dept,DC=domain,DC=com" | table x | ldapfilter domain=domain.com search="(dn=$x$)" attrs="sAMAccountName"

When I run this, I get the following errors:

ERROR: com.unboundid.ldap.sdk.LDAPException: Invalid hex character ',' encountered at position 11.
External search command 'ldapfilter' returned error code 1. Script output = "x,sAMAccountName,__mv_sAMAccountName,dn "

This works if I do a lookup on other attributes. Do I have to escape or sanitize values before I pass them into ldapfilter?


I'm using ldapsearch 1.1.3 (because 2.0.0 is still too buggy).

My actual use-case is building an identity list for ES using Active Directory. I've started with the example search provided in the docs.
According to the docs the "manageBy" field should be the user name of the manager, but the "manager" attribute contains the DN of the manager not the sAMAccountName.

0 Karma

New Member

Little late to the party here but I was experiencing the same issue and found a workaround. This might have been updated in newer versions of the ldapfilter, so I'm not sure if this is relevant anymore.

In this case, the issue seems to arise from "\" needing to be escaped - as you've alluded to. "(" and ")" within the DN can also cause the same issue.

I did a few evals to just replace those characters with their LDAP escape character equivalents. More info on escaping LDAP characters can be found here.

So in your case, I think it'd look something like the following:

 * | head 1 | eval x="CN=Doe\, John,OU=Dept,DC=domain,DC=com"
| eval removeBackS = replace(x,"\\\\","\5c") 
| eval removeOpPer = replace(removeBackS,"\\(", "\28") 
| eval removeClPer = replace(removeOpPer,"\\)", "\29")
| rename removeClPer as final
| ldapfilter domain=domain.com search="(distinguishedName=$final$)" attrs="sAMAccountName"

This will make your DN string look somewhat weird ("CN=Doe\5c, John,OU=Dept,DC=domain,DC=com") but should resolve in the LDAP filter.

Hopefully this will help someone out in the future!

0 Karma


When setting up the App using the Configuration GUI for "Splunk for Active Directory Support", v2.1.2, I find that the backslash escaping a comma within CN text works perfectly in the Bind DN string for authentication. A little off the focus of the question, but related to syntax solutions in general Splunk and this App.

0 Karma

Esteemed Legend

I am having this same problem; did you ever figure out how to make it work?

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!


Or Learn More in Our Blog >>