Solved: Splunk LDAP search add on: Ldap attrs config

williamcclark · ‎01-19-2024

Can someone explain to me where the attrs argument pulls its attributes from? Originally I thought it was essentially the "-Properties" flag from Get-ADuser and I would be able to use those properties but whenever I try it says "External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: PasswordExpirationDate "." Where is the attrs list? How can I define more attrs?

williamcclark · ‎03-27-2024

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes.

View solution in original post

tscroggins · ‎01-20-2024

Hi @williamcclark,

The ldapsearch command attrs argument is similar to the Get-ADUser cmdlet Properties parameter; however, unlike Get-ADUser, ldapsearch does not return a default set of LDAP attributes. Using ldapsearch without the attrs argument is equivalent to running Get-ADUser -Properties *. (Technically, the default value for attrs is the Python constant ldap3.ALL_ATTRIBUTES, which evaluates to *.)

To limit the attributes returned, provide a comma-delimited list to the attrs argument:

| ldapsearch attrs="sn,givenName,sAMAccountName"

In the add-on code, "Invalid attributes types in attrs list" is returned when a requested attribute is not present in the directory schema.

How are you using the ldapsearch command? Is it being used by another app or add-on? Does the use case expect a schema extension that isn't installed on your target directory? For example, are you searching for Exchange-related attributes in a directory that does not have the Exchange schema extensions installed?

williamcclark · ‎01-22-2024

Hi @tscroggins I was using the search app to run

| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires

accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser.

tscroggins · ‎01-22-2024

That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.

williamcclark · ‎01-22-2024

Name does return a value, as does every other attribute you listed. How is name not valid? Isn't it just pulling from properties in AD?

tscroggins · ‎01-27-2024

Ah, you are correct. "name" is the relative distinguished name (RDN) of the object. If the object's distinguished name is CN=foo,DC=example,DC=com, the name value should be foo.

accountExpires is a valid attribute in my Windows Server 2022 Active Directory environment.

A slightly modified version of the search works for me:

| ldapsearch search="(&(objectClass=user))" attrs="name,accountExpires"

What other information can you provide about your Active Directory environment?

williamcclark · ‎03-27-2024

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes.

Splunk LDAP search add on: Ldap attrs config

splunk-assist

troubleshooting

using Splunk Enterprise

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?