Splunk Enterprise Security
Highlighted

LDAP Search= Command

New Member

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?

With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.

I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.

0 Karma
Highlighted

Re: LDAP Search= Command

SplunkTrust
SplunkTrust

Hi @keldridg2,

Here are the subquestions I got from you along with their answers, let me know if I missed anything :

  • ....what does the & mean...

    AND Operation: (& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))

  • ...the other is the ! ...

    Negation: (!(attribute=abc)) , e.g. (!objectClass=group)

  • ...In the search command I see two $ symbols...

The two $ symbols are not related to ldapsearch directly they are splunk tokens. The value of the token are set somewhere on your dashboard before being used in your search.

You can find almost all the options for the ldapsearch command here :
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
More info about tokens here :
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens
Usage examples to create assets and identities:
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/Theldapsearchcommand#Examples

Let me know if this helps.

Cheers,
David

0 Karma