Splunk Search
Highlighted

How can I retrieve a list of LDAP users in my Splunk search?

Explorer

I need to create a search that can retrieve a list of privileged group members from my LDAP server so I can then use that list in my search string.
For example, if I wanted to list all users who are or are not privileged group members I could say something like:

 index=* user=* | stats count by user (EXCLUDING ALL OTHER USERS IN THE LIST OF LDAP PRIVILEGED GROUP MEMBERS I RETRIEVED)

I have looked into trying to use a external scripted lookup that will connect to my LDAP and do a query but no luck yet.
I am also seeing some answers that say to use something like this:

| rest /services/authentication/users splunk_server=local | table realname

no idea what exactly that does or what/where /services/authentication/users is.
How can I accomplish this?

0 Karma
Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Motivator

Hi Jcorkey,

To get the list of users in the system use the below search,

| rest /services/authentication/users splunk_server=local | table type, title, roles, realname email *

To get only the LDAP users you have to filter the type, where type=LDAP is LDAP user and type=Splunk is Splunk created user,

| rest /services/authentication/users splunk_server=local | where type="LDAP" | table type, title, roles, realname email *

Hope this helps you !!

Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Explorer

Will this work on a linux box??

0 Karma
Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Motivator

it's a splunk search so it doesn't matter windows / linux. Do you have sufficient permission to run the search?

Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Explorer

Yea I have permissions. But this doesn't sound like what I need or maybe I just don't fully understand what this is doing. I need to be able to actually connect to my LDAP server and get a list of privileged group members from the LDAP.

0 Karma
Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Motivator

LDAP users which are access to the Splunk will be list down in the rest command.

if you want to query the LDAP, Usually organizations will use the some GUI for LDAP / Active Directory,
OR

you can use the Add-on SA-LDAPSearch .

https://splunkbase.splunk.com/app/1151/
https://docs.splunk.com/Documentation/SA-LdapSearch/2.1.4/User/Theldapsearchcommand

Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Explorer

I would use this but I am using Rhel machines not windows

0 Karma
Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Explorer

Im using openldap and SA-LDAPSearch is for active directory

0 Karma
Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Motivator

have you tried JXplorer? Check this, http://jxplorer.org/

Read this link, there were plenty of tools for LDAP Browser for linux,

http://www.ldapbrowserlinux.com/

Highlighted

Re: How can I retrieve a list of LDAP users in my Splunk search?

Path Finder

Works great. Thanks so much!

0 Karma