Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LDAP Search= Command

keldridg2
New Member
‎07-25-2019 10:23 AM

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?

With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.

I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.

0 Karma
Reply

DavidHourani
Super Champion
‎04-27-2020 11:07 PM

Hi @keldridg2,

Here are the subquestions I got from you along with their answers, let me know if I missed anything :

  • ....what does the & mean...

    AND Operation: (& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))

  • ...the other is the ! ...

    Negation: (!(attribute=abc)) , e.g. (!objectClass=group)

  • ...In the search command I see two $ symbols...

The two $ symbols are not related to ldapsearch directly they are splunk tokens. The value of the token are set somewhere on your dashboard before being used in your search.

You can find almost all the options for the ldapsearch command here :
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
More info about tokens here :
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens
Usage examples to create assets and identities:
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/Theldapsearchcommand#Examples

Let me know if this helps.

Cheers,
David

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Related Topics
LDAP Search= command
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...