Splunk Search

How to use the splunk ldapsearch app to list all users' memberships with in a group?

Glasses2
Communicator

I am having no luck listing users' memberships with in a group, using ldapsearch.

I am not an AD LDAP expert, either.

Lets say I have a domain called Foo, and an OU (group) called Bar, with 10 users.  Each user has additional memberships to other groups.

I am looking to list the membership attr for each user.

I am starting with 

| ldapsearch domain=default search="(&(objectClass=user))"... but I don't know what to add.

Thank you 

0 Karma
1 Solution

Glasses2
Communicator

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

View solution in original post

0 Karma

yuanliu
SplunkTrust
SplunkTrust

There is an app and add-on forum All Apps and Add-ons.  That's a better place to ask this question.  To construct a useful search, you need to know how AD implements group membership. (In plain LDAP, group membership is often implemented with the attribute "MemberOf", but not always.)

0 Karma

Glasses2
Communicator

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

0 Karma

Glasses2
Communicator

Apparently wrapping attrs=" thing, thing2, thing3" in quotes works.

0 Karma

Glasses2
Communicator

one other thing, if you are not admin, you need your role to include: 

 

list_settings

list_storage_passwords

 

or you may get a permission denied error.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...