Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the splunk ldapsearch app to list all users' memberships with in a group?

Glasses2
Communicator
‎10-06-2022 02:02 PM

I am having no luck listing users' memberships with in a group, using ldapsearch.

I am not an AD LDAP expert, either.

Lets say I have a domain called Foo, and an OU (group) called Bar, with 10 users.  Each user has additional memberships to other groups.

I am looking to list the membership attr for each user.

I am starting with 

| ldapsearch domain=default search="(&(objectClass=user))"... but I don't know what to add.

Thank you 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 03:55 PM

There is an app and add-on forum All Apps and Add-ons.  That's a better place to ask this question.  To construct a useful search, you need to know how AD implements group membership. (In plain LDAP, group membership is often implemented with the attribute "MemberOf", but not always.)

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 06:14 AM

Apparently wrapping attrs=" thing, thing2, thing3" in quotes works.

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 08:57 AM

one other thing, if you are not admin, you need your role to include: 

 

list_settings

list_storage_passwords

 

or you may get a permission denied error.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What did the zero say to the eight?

June 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

Splunk Observability Cloud's AI Assistant in Action Series: Onboarding New Hires & ...

This is the fifth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...
Top