Splunk Enterprise

Splunk LDAP search add on: Ldap attrs config

williamcclark
Explorer

Can someone explain to me where the attrs argument pulls its attributes from? Originally I thought it was essentially the "-Properties" flag from Get-ADuser and I would be able to use those properties but whenever I try it says "External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: PasswordExpirationDate "." Where is the attrs list? How can I define more attrs?

0 Karma
1 Solution

williamcclark
Explorer

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes. 

View solution in original post

0 Karma

tscroggins
Influencer

Hi @williamcclark,

The ldapsearch command attrs argument is similar to the Get-ADUser cmdlet Properties parameter; however, unlike Get-ADUser, ldapsearch does not return a default set of LDAP attributes. Using ldapsearch without the attrs argument is equivalent to running Get-ADUser -Properties *. (Technically, the default value for attrs is the Python constant ldap3.ALL_ATTRIBUTES, which evaluates to *.)

To limit the attributes returned, provide a comma-delimited list to the attrs argument:

| ldapsearch attrs="sn,givenName,sAMAccountName"

In the add-on code, "Invalid attributes types in attrs list" is returned when a requested attribute is not present in the directory schema.

How are you using the ldapsearch command? Is it being used by another app or add-on? Does the use case expect a schema extension that isn't installed on your target directory? For example, are you searching for Exchange-related attributes in a directory that does not have the Exchange schema extensions installed?

0 Karma

williamcclark
Explorer

Hi @tscroggins I was using the search app to run 

| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires



accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser. 

0 Karma

tscroggins
Influencer

That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.

0 Karma

williamcclark
Explorer

Name does return a value, as does every other attribute you listed. How is name not valid? Isn't it just pulling from properties in AD?

0 Karma

tscroggins
Influencer

Ah, you are correct. "name" is the relative distinguished name (RDN) of the object. If the object's distinguished name is CN=foo,DC=example,DC=com, the name value should be foo.

accountExpires is a valid attribute in my Windows Server 2022 Active Directory environment.

A slightly modified version of the search works for me:

| ldapsearch search="(&(objectClass=user))" attrs="name,accountExpires"

What other information can you provide about your Active Directory environment?

0 Karma

williamcclark
Explorer

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes. 

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...