Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the splunk ldapsearch app to list all users' memberships with in a group?

Glasses2
Communicator
‎10-06-2022 02:02 PM

I am having no luck listing users' memberships with in a group, using ldapsearch.

I am not an AD LDAP expert, either.

Lets say I have a domain called Foo, and an OU (group) called Bar, with 10 users.  Each user has additional memberships to other groups.

I am looking to list the membership attr for each user.

I am starting with 

| ldapsearch domain=default search="(&(objectClass=user))"... but I don't know what to add.

Thank you 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎10-06-2022 03:55 PM

There is an app and add-on forum All Apps and Add-ons.  That's a better place to ask this question.  To construct a useful search, you need to know how AD implements group membership. (In plain LDAP, group membership is often implemented with the attribute "MemberOf", but not always.)

0 Karma
Reply
Solved! Jump to solution
Solution

Glasses2
Communicator
‎10-06-2022 04:58 PM

Thank you, useful information re: app forum.

 

However, despite a lack of decent documented examples, I stumbled across a way...

The users were in an OU group.

This worked 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" | table displayName dn memberOf

 

 

But unfortunately attrs=displayName,memberOf did not

 

 

| ldapsearch basedn="OU=foobar accounts,DC=foo,DC=bar" search="(objectClass=user)" attrs=displayName,memberOf | table displayName dn memberOf

 

I could not get both attrs, only the first in the list.  Strange

 

 

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 06:14 AM

Apparently wrapping attrs=" thing, thing2, thing3" in quotes works.

0 Karma
Reply
Solved! Jump to solution

Glasses2
Communicator
‎10-07-2022 08:57 AM

one other thing, if you are not admin, you need your role to include: 

 

list_settings

list_storage_passwords

 

or you may get a permission denied error.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...