Splunk Search

ldapfilter does not return all attributes

paulalbert
Engager

I'm trying to  use Splunk to return a list of records that have been modified in our LDAP since a particular datetime.

There are certain attributes that I know exist in LDAP (e.g., weillCornellEduEndDate), and I can retrieve when using ldapsearch but that don't appear when I use ldapfilter (which I have to use; see previous sentence).

 

This works:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.34.39 PM.png

 

This does NOT work:

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="objectClass,cn,mail,title,o,sn,givenName,weillCornellEduEndDate"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.02 PM.png

Nor does this....

 

* | head 1 | eval x = "z" | table x
| eval timestamp = "20200914213812Z"
| ldapfilter domain=ED-people search="(&(objectClass=top)(|(modifyTimestamp>=$timestamp$)(createTimestamp>=$timestamp$)))" attrs="*"
| table *

 

 

 

 

 

 

Screen Shot 2020-09-15 at 5.35.25 PM.png

 

I'm using Splunk 7.2.9.1 and SA-LDAPSearch.

Here's the error code in the logs.

09-15-2020 17:46:29.177 ERROR script - sid:1600206382.183889 External search command 'ldapfilter' returned error code 1. Script output = "error_message=Invalid attribute types in attrs list: weillCornellEduEndDate\r\n\r\n".

Labels (1)
0 Karma

bjoshi
Splunk Employee
Splunk Employee

I went through the issue and the addon design here is the analysis for the attribute validation flow.

Below is the workflow of the ldapsearch command:

The command fetches the valid available attributes from the schema of the specified domain (value of domain option). Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

Below is the workflow of the ldapfilter command:

The command fetches the valid available attributes from the schema of the server which is configured as default domain. Then it validates the provided attribute list (value of attrs option) with the list fetched from the server schema.

So, there is a difference in the attribute validation of both the command as ldapfilter always uses the schema of the default domain for the attribute validation, while ldapsearver uses the schema of the server which is provided as a domain option.
This behavior is by design.

The behavior I mentioned is also mentioned in the Addon Doc with the workaround: doc link

Using of attr='*' is not supported in the ldapfilter. It will only work for ldapsearch.

Thanks,

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

Industry Solutions for Supply Chain and OT, Amazon Use Cases, Plus More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Enterprise Security Content Update (ESCU) | New Releases

In November, the Splunk Threat Research Team had one release of new security content via the Enterprise ...