Splunk Search

ldapfilter does not return all attributes

paulalbert
Engager

I'm trying to  use Splunk to return a list of records that have been modified in our LDAP since a particular datetime.

There are certain attributes that I know exist in LDAP (e.g., weillCornellEduEndDate), and I can retrieve when using ldapsearch but that don't appear when I use ldapfilter (which I have to use; see previous sentence).

 

This works:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.34.39 PM.png

 

This does NOT work:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName,weillCornellEduEndDate"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.02 PM.png

Nor does this....

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="*"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.25 PM.png

 

I'm using Splunk 7.2.9.1 and SA-LDAPSearch.

Here's the error code in the logs.

09-15-2020 17:46:29.177 ERROR script - sid:1600206382.183889 External search command 'ldapfilter' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: weillCornellEduEndDate\r\n\r\n".

Labels (1)
0 Karma

bjoshi
Splunk Employee
Splunk Employee

I went through the issue and the addon design here is the analysis for the attribute validation flow.

Below is the workflow of the ldapsearch command:

The command fetches the valid available attributes from the schema of the specified domain (value of domain option). Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

Below is the workflow of the ldapfilter command:

The command fetches the valid available attributes from the schema of the server which is configured as default domain. Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

So, there is a difference in the attribute validation of both the command as ldapfilter always uses the schema of the default domain for the attribute validation, while ldapsearver uses the schema of the server which is provided as a domain option.
This behavior is by design.

The behavior I mentioned is also mentioned in the Addon Doc with the workaround: doc link

Using of attr='*' is not supported in the ldapfilter. It will only work for ldapsearch.

Thanks,

0 Karma
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...