I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string.
For example, if I wanted to list all users who are or are not privileged group members I could say something like:
index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED)
I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet.
I am also seeing some answers that say to use something like this:
| rest /services/authentication/users splunk_server=local | table realname
no idea what exactly that does or what/where /services/authentication/users
is.
How can I accomplish this?
Is your question with regard to users of the splunk system, or users of your other systems at large?
other Rhel systems at large. We are using openLdap and have different Ldap clients which use the Ldap server for authentication.
Hi Jcorkey,
To get the list of users in the system use the below search,
| rest /services/authentication/users splunk_server=local | table type, title, roles, realname email *
To get only the LDAP users you have to filter the type, where type=LDAP
is LDAP user and type=Splunk
is Splunk created user,
| rest /services/authentication/users splunk_server=local | where type="LDAP" | table type, title, roles, realname email *
Hope this helps you !!
Will this work on a linux box??
Works great. Thanks so much!
Glad that works, Accept the answer.
it's a splunk search so it doesn't matter windows / linux. Do you have sufficient permission to run the search?
Yea I have permissions. But this doesn't sound like what I need or maybe I just don't fully understand what this is doing. I need to be able to actually connect to my LDAP server and get a list of privileged group members from the LDAP.
LDAP users which are access to the Splunk will be list down in the rest command.
if you want to query the LDAP, Usually organizations will use the some GUI for LDAP / Active Directory,
OR
you can use the Add-on SA-LDAPSearch
.
https://splunkbase.splunk.com/app/1151/
https://docs.splunk.com/Documentation/SA-LdapSearch/2.1.4/User/Theldapsearchcommand
I would use this but I am using Rhel machines not windows
Im using openldap and SA-LDAPSearch is for active directory
have you tried JXplorer? Check this, http://jxplorer.org/
Read this link, there were plenty of tools for LDAP Browser for linux,
http://www.ldapbrowserlinux.com/