Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

LDAP Search= Command

keldridg2
New Member
‎07-25-2019 10:23 AM

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?

With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.

I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.

0 Karma
Reply

DavidHourani
Super Champion
‎04-27-2020 11:07 PM

Hi @keldridg2,

Here are the subquestions I got from you along with their answers, let me know if I missed anything :

  • ....what does the & mean...

    AND Operation: (& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))

  • ...the other is the ! ...

    Negation: (!(attribute=abc)) , e.g. (!objectClass=group)

  • ...In the search command I see two $ symbols...

The two $ symbols are not related to ldapsearch directly they are splunk tokens. The value of the token are set somewhere on your dashboard before being used in your search.

You can find almost all the options for the ldapsearch command here :
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
More info about tokens here :
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens
Usage examples to create assets and identities:
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/Theldapsearchcommand#Examples

Let me know if this helps.

Cheers,
David

0 Karma
Reply
Related Topics
LDAP Search= command
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...