Splunk Enterprise

Splunk LDAP search add on: Ldap attrs config

williamcclark
Explorer

Can someone explain to me where the attrs argument pulls its attributes from? Originally I thought it was essentially the "-Properties" flag from Get-ADuser and I would be able to use those properties but whenever I try it says "External search command 'ldapsearch' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: PasswordExpirationDate "." Where is the attrs list? How can I define more attrs?

0 Karma
1 Solution

williamcclark
Explorer

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes. 

View solution in original post

0 Karma

tscroggins
Influencer

Hi @williamcclark,

The ldapsearch command attrs argument is similar to the Get-ADUser cmdlet Properties parameter; however, unlike Get-ADUser, ldapsearch does not return a default set of LDAP attributes. Using ldapsearch without the attrs argument is equivalent to running Get-ADUser -Properties *. (Technically, the default value for attrs is the Python constant ldap3.ALL_ATTRIBUTES, which evaluates to *.)

To limit the attributes returned, provide a comma-delimited list to the attrs argument:

| ldapsearch attrs="sn,givenName,sAMAccountName"

In the add-on code, "Invalid attributes types in attrs list" is returned when a requested attribute is not present in the directory schema.

How are you using the ldapsearch command? Is it being used by another app or add-on? Does the use case expect a schema extension that isn't installed on your target directory? For example, are you searching for Exchange-related attributes in a directory that does not have the Exchange schema extensions installed?

0 Karma

williamcclark
Explorer

Hi @tscroggins I was using the search app to run 

| ldapsearch search="(&(objectClass=user))" attrs=name, accountExpires



accountExpires is the attribute causing the aforementioned error. I know the property exists because I am able to call it via Get-ADUser. 

0 Karma

tscroggins
Influencer

That may be an off by one error in the script block that checks attributes and writes error messages; name isn't a valid attribute. Instead of name, try cn, displayName, sAMAccountName, givenName, sn, etc.

0 Karma

williamcclark
Explorer

Name does return a value, as does every other attribute you listed. How is name not valid? Isn't it just pulling from properties in AD?

0 Karma

tscroggins
Influencer

Ah, you are correct. "name" is the relative distinguished name (RDN) of the object. If the object's distinguished name is CN=foo,DC=example,DC=com, the name value should be foo.

accountExpires is a valid attribute in my Windows Server 2022 Active Directory environment.

A slightly modified version of the search works for me:

| ldapsearch search="(&(objectClass=user))" attrs="name,accountExpires"

What other information can you provide about your Active Directory environment?

0 Karma

williamcclark
Explorer

Sorry for the late reply... Just started back working on this. For anyone who is curious, the answer was the port we were using had less attributes. 

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...