Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

ldapfilter does not return all attributes

paulalbert
Engager
‎09-15-2020 02:41 PM

I'm trying to  use Splunk to return a list of records that have been modified in our LDAP since a particular datetime.

There are certain attributes that I know exist in LDAP (e.g., weillCornellEduEndDate), and I can retrieve when using ldapsearch but that don't appear when I use ldapfilter (which I have to use; see previous sentence).

 

This works:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.34.39 PM.png

 

This does NOT work:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName,weillCornellEduEndDate"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.02 PM.png

Nor does this....

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="*"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.25 PM.png

 

I'm using Splunk 7.2.9.1 and SA-LDAPSearch.

Here's the error code in the logs.

09-15-2020 17:46:29.177 ERROR script - sid:1600206382.183889 External search command 'ldapfilter' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: weillCornellEduEndDate\r\n\r\n".

Labels (1)
Labels
0 Karma
Reply

bjoshi
Splunk Employee
Splunk Employee
‎01-20-2021 02:14 AM

I went through the issue and the addon design here is the analysis for the attribute validation flow.

Below is the workflow of the ldapsearch command:

The command fetches the valid available attributes from the schema of the specified domain (value of domain option). Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

Below is the workflow of the ldapfilter command:

The command fetches the valid available attributes from the schema of the server which is configured as default domain. Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

So, there is a difference in the attribute validation of both the command as ldapfilter always uses the schema of the default domain for the attribute validation, while ldapsearver uses the schema of the server which is provided as a domain option.
This behavior is by design.

The behavior I mentioned is also mentioned in the Addon Doc with the workaround: doc link

Using of attr='*' is not supported in the ldapfilter. It will only work for ldapsearch.

Thanks,

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...