Splunk Search

How can I retrieve a list of LDAP users in my Splunk search?

jcorkey
Explorer

I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string.
For example, if I wanted to list all users who are or are not privileged group members I could say something like:

 index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED)

I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet.
I am also seeing some answers that say to use something like this:

| rest /services/authentication/users splunk_server=local | table realname

no idea what exactly that does or what/where /services/authentication/users is.
How can I accomplish this?

0 Karma

DalJeanis
Legend

Is your question with regard to users of the splunk system, or users of your other systems at large?

0 Karma

jcorkey
Explorer

other Rhel systems at large. We are using openLdap and have different Ldap clients which use the Ldap server for authentication.

0 Karma

vasanthmss
Motivator

Hi Jcorkey,

To get the list of users in the system use the below search,

| rest /services/authentication/users splunk_server=local | table type, title, roles, realname email *

To get only the LDAP users you have to filter the type, where type=LDAP is LDAP user and type=Splunk is Splunk created user,

| rest /services/authentication/users splunk_server=local | where type="LDAP" | table type, title, roles, realname email *

Hope this helps you !!

V

jcorkey
Explorer

Will this work on a linux box??

0 Karma

joesrepsol
Path Finder

Works great. Thanks so much!

0 Karma

vasanthmss
Motivator

Glad that works, Accept the answer.

V
0 Karma

vasanthmss
Motivator

it's a splunk search so it doesn't matter windows / linux. Do you have sufficient permission to run the search?

V

jcorkey
Explorer

Yea I have permissions. But this doesn't sound like what I need or maybe I just don't fully understand what this is doing. I need to be able to actually connect to my LDAP server and get a list of privileged group members from the LDAP.

0 Karma

vasanthmss
Motivator

LDAP users which are access to the Splunk will be list down in the rest command.

if you want to query the LDAP, Usually organizations will use the some GUI for LDAP / Active Directory,
OR

you can use the Add-on SA-LDAPSearch .

https://splunkbase.splunk.com/app/1151/
https://docs.splunk.com/Documentation/SA-LdapSearch/2.1.4/User/Theldapsearchcommand

V

jcorkey
Explorer

I would use this but I am using Rhel machines not windows

0 Karma

jcorkey
Explorer

Im using openldap and SA-LDAPSearch is for active directory

0 Karma

vasanthmss
Motivator

have you tried JXplorer? Check this, http://jxplorer.org/

Read this link, there were plenty of tools for LDAP Browser for linux,

http://www.ldapbrowserlinux.com/

V
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...