Splunk Enterprise Security

LDAP Search= command

keldridg2
New Member

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?

With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.

I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The argument to the search= option is an LDAP filter. You can read about them at https://ldap.com/ldap-filters/, http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm , and https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax . Filters are how you tell the LDAP command to restrict its search to certain object types.

In your first example, "(&(objectClass=group)(cn=tt_users))" says to look for entities in the "group" class with common name (cn) "tt_users". & is the AND operator and it takes multiple parenthesized arguments. Similiarly, | is the OR operator.

In your second example, "(&(objectclass=user)(!(objectClass=computer)))" says to look for users (objectclass=user) and not (!) computers.

Finally, the two dollar signs in search="(objectSid=$Sid$)" reference a Splunk token called "Sid".

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The argument to the search= option is an LDAP filter. You can read about them at https://ldap.com/ldap-filters/, http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm , and https://docs.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax . Filters are how you tell the LDAP command to restrict its search to certain object types.

In your first example, "(&(objectClass=group)(cn=tt_users))" says to look for entities in the "group" class with common name (cn) "tt_users". & is the AND operator and it takes multiple parenthesized arguments. Similiarly, | is the OR operator.

In your second example, "(&(objectclass=user)(!(objectClass=computer)))" says to look for users (objectclass=user) and not (!) computers.

Finally, the two dollar signs in search="(objectSid=$Sid$)" reference a Splunk token called "Sid".

---
If this reply helps you, Karma would be appreciated.
0 Karma

keldridg2
New Member

Thanks for answering my question. I get that the two $ symbols reference to Sid but am wondering why there needs to be two $ symbols with each one of them being on with side of Sid. If you can be able to answer my other question.

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The two $ symbols are required syntax for using tokens in SPL. Think of them like quotation marks - there must always be a pair.

The search option of ldapsearch does not use field names. It is literal text passed to the LDAP server for processing. If there is a field called 'user' in the query, it has no relationship to the "user" in "(objectClass=user)".

---
If this reply helps you, Karma would be appreciated.
0 Karma

keldridg2
New Member

Thank you for answering my question and it helped me out.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If your problem is resolved, please accept the answer to help future readers.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...