I'm trying to use Splunk to return a list of records that have been modified in our LDAP since a particular datetime.
There are certain attributes that I know exist in LDAP (e.g., weillCornellEduEndDate), and I can retrieve when using ldapsearch but that don't appear when I use ldapfilter (which I have to use; see previous sentence).
This works:
* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName"
| table *
This does NOT work:
* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName,weillCornellEduEndDate"
| table *
Nor does this....
* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="*"
| table *
I'm using Splunk 7.2.9.1 and SA-LDAPSearch.
Here's the error code in the logs.
09-15-2020 17:46:29.177 ERROR script - sid:1600206382.183889 External search command 'ldapfilter' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: weillCornellEduEndDate\r\n\r\n".
I went through the issue and the addon design here is the analysis for the attribute validation flow.
Below is the workflow of the ldapsearch command:
The command fetches the valid available attributes from the schema of the specified domain (value of domain option). Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.
Below is the workflow of the ldapfilter command:
The command fetches the valid available attributes from the schema of the server which is configured as default domain. Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.
So, there is a difference in the attribute validation of both the command as ldapfilter always uses the schema of the default domain for the attribute validation, while ldapsearver uses the schema of the server which is provided as a domain option.
This behavior is by design.
The behavior I mentioned is also mentioned in the Addon Doc with the workaround: doc link
Using of attr='*' is not supported in the ldapfilter. It will only work for ldapsearch.
Thanks,