The ldapsearch command opens a connection to an LDAP server. It then performs a search using the specified options and generates one event per result entry. The ldapsearch command must appear at the beginning of a search pipeline.
Get all attributes for all users in the default domain.
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))" attrs="distinguishedName,objectCategory"
search=<search-filter>
An LDAP search filter. The filter must conform to the string representation for search filters as defined in RFC 2254.
attrs=<attribute-names>
A comma-separated list of attribute names. If you specify '*' or do not specify any attributes, the command returns all user attributes. If you specify '+', it returns all operational attributes.
domain=<domain-specifier>
Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
basedn=<search-base>
Specifies a search base as the starting point instead of the default as set in the ldap configuration stanza identified by domain.
scope=base|one|sub
Specifies the scope of the search to be one of base, one, or sub. The default is sub.
limit=<size-limit>
Specifies the maximum number of entries that the command should retrieve. A value of 0 (zero) means there is no limit. A server can impose a maximum size limit. The default is zero.
debug=<bool>
If set to true, debug logging is in effect. This is a short-hand for logging_level=DEBUG.
decode=<bool>
If set to true, Active Directory formatting rules are applied to attributes. The default is the value of decode as specified in the configuration stanza for domain.
logging_level=critical|error|warning|info|debug
Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:
| File | Full pathname of the source file where the logging call was made. |
| Level | Level of the logging call that was made; one of CRITICAL, ERROR, WARNING, INFO, or DEBUG. |
| Line | Line number in the source file where the logging call was made. |
| Pid | ID of the process that made the logging call. |
| log_source | String of the form "Pid=<Pid>, File=<File>, Line=<Line>". |
| message | Full text of the logged message. |
The command returns each event as the Java Standard Object Notation (JSON) representation of the record. It also returns a number of attributes as field values. When the command returns attributes as values, it decodes those values on the fly and presents globally unique IDs (GUID), security IDs (SID), or security descriptor in human-readable form.
To get a table suitable for pushing into the identities.csv file for Enterprise Security:
| ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| table sAMAccountName, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber,
mobile, manager, priority, department, category, watchlist, whenCreated, endDate
| rename sAMAccountName as identity, personalTitle as prefix, displayName as nick,
givenName as first, sn as last, mail as email, telephoneNumber as phone,
mobile as phone2, manager as managedBy, department as bunit, whenCreated as startDate
If you have multiple domains, join multiple 'ldapsearch' commands with the 'append' command. For instance:
| ldapsearch domain=SPL search="(&(objectClass=user)(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| eval identity = "SPL\\" + sAMAccountName
| table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber,
mobile, manager, priority, department, category, watchlist, whenCreated, endDate
| rename personalTitle as prefix, displayName as nick, givenName as first, sn as last,
mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy,
department as bunit, whenCreated as startDate
| append [
ldapsearch domain=ENG search="(&(objectClass=user)(!(objectClass=computer)))"
| search userAccountControl="NORMAL_ACCOUNT"
| eval suffix=""
| eval priority="medium"
| eval category="normal"
| eval watchlist="false"
| eval endDate=""
| eval identity = "ENG\\" + sAMAccountName
| table identity, personalTitle, displayName, givenName, sn, suffix, mail, telephoneNumber,
mobile, manager, priority, department, category, watchlist, whenCreated, endDate
| rename personalTitle as prefix, displayName as nick, givenName as first, sn as last,
mail as email, telephoneNumber as phone, mobile as phone2, manager as managedBy,
department as bunit, whenCreated as startDate]