The ldapfetch command filters and augments events with information from Active Directory. It follows a search or similar command in the search pipeline so you can feed it events. A sample usage follows:
| ldapsearch search="(objectClass=group)" attrs="memberOf" | mvexpand memberOf | ldapfetch dn=memberOf attrs="cn,description"
On return, ldapfetch adds the LDAP attributes specified by the attrs argument to each event based on an LDAP fetch operation. It uses the dn field to determine the LDAP record to fetch.
dn=<field-name>
Specifies the name of the field that holds the Distinguished Name (DN) to fetch. If you do not specify the dn option, then the command uses the distinguishedName field name.
attrs=<attribute-names>
A comma-separated list of attribute names. If you specify '*' or do not specify any attributes, the command returns all user attributes. If you specify '+', it returns all operational attributes.
domain=<domain-specifier>
Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.
debug=<bool>
If set to true, debug logging is in effect. This is a short-hand for logging_level=DEBUG.
decode=<bool>
If set to true, Active Directory formatting rules are applied to attributes. The default is the value of decode as specified in the configuration stanza for domain.
logging_level=Critical|error|warning|info|debug
Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:
| File | Full pathname of the source file where the logging call was made. |
| Level | Level of the logging call that was made; one of critical, error, warning, info, or debug. |
| Line | Line number in the source file where the logging call was made. |
| Pid | ID of the process that made the logging call. |
| log_source | String of the form "Pid=<Pid>, File=<File>, Line=<Line>". |
| message | Full text of the logged message. |
To list all organizational units, together with any Group Policy Objects (GPOs) linked to them:
| ldapsearch search="(objectClass=organizationalUnit)" attrs="ou,description,gPLink,gPOptions" | sort ou | rex field=gPLink max_match=10 "\[LDAP://(?<gpo>[^;]+);\d+\]" | makemv allowempty=true tokenizer="([^\n]+)" gpo | ldapfetch dn=gpo attrs=displayName | table ou,description,displayName | rename ou as "Name", displayName as "Linked GPO"