How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.
With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?
With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.
I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.
The argument to the search=
option is an LDAP filter. You can read about them at https://ldap.com/ldap-filters/, http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm , and https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax . Filters are how you tell the LDAP command to restrict its search to certain object types.
In your first example, "(&(objectClass=group)(cn=tt_users))" says to look for entities in the "group" class with common name (cn) "tt_users". &
is the AND operator and it takes multiple parenthesized arguments. Similiarly, |
is the OR operator.
In your second example, "(&(objectclass=user)(!(objectClass=computer)))" says to look for users (objectclass=user) and not (!) computers.
Finally, the two dollar signs in search="(objectSid=$Sid$)"
reference a Splunk token called "Sid".
The argument to the search=
option is an LDAP filter. You can read about them at https://ldap.com/ldap-filters/, http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm , and https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax . Filters are how you tell the LDAP command to restrict its search to certain object types.
In your first example, "(&(objectClass=group)(cn=tt_users))" says to look for entities in the "group" class with common name (cn) "tt_users". &
is the AND operator and it takes multiple parenthesized arguments. Similiarly, |
is the OR operator.
In your second example, "(&(objectclass=user)(!(objectClass=computer)))" says to look for users (objectclass=user) and not (!) computers.
Finally, the two dollar signs in search="(objectSid=$Sid$)"
reference a Splunk token called "Sid".
Thanks for answering my question. I get that the two $ symbols reference to Sid but am wondering why there needs to be two $ symbols with each one of them being on with side of Sid. If you can be able to answer my other question.
How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.
The two $ symbols are required syntax for using tokens in SPL. Think of them like quotation marks - there must always be a pair.
The search option of ldapsearch
does not use field names. It is literal text passed to the LDAP server for processing. If there is a field called 'user' in the query, it has no relationship to the "user" in "(objectClass=user)".
Thank you for answering my question and it helped me out.
If your problem is resolved, please accept the answer to help future readers.