Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

LDAP Search= Command

keldridg2
New Member
‎07-25-2019 10:23 AM

How do you use the search= command with lpdasearch or lpdafilter? I seen examples where they are using search="(objectClass=user)" as to me I see that they are associating a field name to a group name of objectClass. If you can tell me if I am correct or not as I cannot understand how can a person can identify which group name goes to which specific field names.

With the search command in either ldapfilter and ldapsearch can somebody tell me search="(&(objectClass=group)(cn=tt_users))" what does the & mean with the objectClass and the other is the ! with the objectClass search="(&(objectclass=user)(!(objectClass=computer)))"? Can somebody explain the difference with using objectClass, cn and sn as I have no idea what is the difference between them and what they are used for?

With lpdafilter in the search command I see two $ symbols search="(objectSid=$Sid$)" does it mean that it is used to specified what field is being used but how does it know to call the command objectSid.

I looked at the documentation for both ldapfilter and ldapsearch but still did not make sense to me and the document that said RFC 2254 for the search command said it was created back in 1997 but still did not make sense to me.

0 Karma
Reply

DavidHourani
Super Champion
‎04-27-2020 11:07 PM

Hi @keldridg2,

Here are the subquestions I got from you along with their answers, let me know if I missed anything :

  • ....what does the & mean...

    AND Operation: (& (...K1...) (...K2...)) or with more than two criteria: (& (...K1...) (...K2...) (...K3...) (...K4...))

  • ...the other is the ! ...

    Negation: (!(attribute=abc)) , e.g. (!objectClass=group)

  • ...In the search command I see two $ symbols...

The two $ symbols are not related to ldapsearch directly they are splunk tokens. The value of the token are set somewhere on your dashboard before being used in your search.

You can find almost all the options for the ldapsearch command here :
http://www.ldapexplorer.com/en/manual/109010000-ldap-filter-syntax.htm
More info about tokens here :
https://docs.splunk.com/Documentation/Splunk/8.0.3/Viz/tokens
Usage examples to create assets and identities:
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/Theldapsearchcommand#Examples

Let me know if this helps.

Cheers,
David

0 Karma
Reply
Related Topics
LDAP Search= command
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...