Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the splunk ldapsearch app to list all users' memberships with in a group?

Glasses2
Communicator
‎10-06-2022 02:02 PM

I am having no luck listing users' memberships with in a group, using ldapsearch.

I am not an AD LDAP expert, either.

Lets say I have a domain called Foo, and an OU (group) called Bar, with 10 users.  Each user has additional memberships to other groups.

I am looking to list the membership attr for each user.

I am starting with 

| ldapsearch domain=default search="(&(objectClass=user))"... but I don't know what to add.

Thank you 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 03:55 PM

There is an app and add-on forum All Apps and Add-ons.  That's a better place to ask this question.  To construct a useful search, you need to know how AD implements group membership. (In plain LDAP, group membership is often implemented with the attribute "MemberOf", but not always.)

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 06:14 AM

Apparently wrapping attrs=" thing, thing2, thing3" in quotes works.

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 08:57 AM

one other thing, if you are not admin, you need your role to include: 

 

list_settings

list_storage_passwords

 

or you may get a permission denied error.

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
li.common.scroll-to.top