The ldapgroup command

The ldapgroup command filters and augments events with information from Active Directory. It follows a search or similar command in the search pipeline. A sample usage follows:

| ldapsearch search="(objectClass=group)" attrs=distinguishedName
  | ldapgroup

On return, it adds the following additional fields to each event:

member_dn List of Member Distinguished Names (DNs).

member_domain NetBIOS domains for the member DNs.

member_name The sAMAccountName for the member DNs.

member_type The type of membership (one of PRIMARY, DIRECT or NESTED with the group DN).

mv_combo All of the above, combined into a single field separated by '###'.

errors Any circular references that were found.

Options

groupdn=<field-name>

Specifies the name of the field that holds the Distinguished Name (DN) of the group to expand. If you do not specify the groupdn option, then the command uses the distinguishedName field name.

domain=<domain-specifier>

Specifies the name of a configuration stanza in ldap.conf. If you do not specify a domain, the command uses the default stanza.

debug=<bool>

If set to true, debug logging is in effect. This is a short-hand for logging_level=DEBUG.

decode=<bool>

If set to true, Active Directory formatting rules are applied to attributes. The default is the value of decode as specified in the configuration stanza for domain.

logging_level=critical|error|warning|info|debug

Specifies the logging level for the $SPLUNK_HOME/var/log/splunk/SA-ldapsearch.log file. Splunk can access this file with the "index=_internal sourcetype=SA-ldapsearch" search and exposes the following fields:

File Full pathname of the source file where the logging call was made.

Level Level of the logging call that was made; one of critical, error, warning, info, or debug.

Line Line number in the source file where the logging call was made.

Pid ID of the process that made the logging call.

log_source String of the form "Pid=<Pid>, File=<File>, Line=<Line>".

message Full text of the logged message.

Examples

To display a table of all groups with their members and membership type:

| ldapsearch search="(objectClass=group)" attrs="cn,distinguishedName"
  | table cn,distinguishedName
  | ldapgroup
  | table cn,member_dn,member_type

member_dn	List of Member Distinguished Names (DNs).
member_domain	NetBIOS domains for the member DNs.
member_name	The sAMAccountName for the member DNs.
member_type	The type of membership (one of PRIMARY, DIRECT or NESTED with the group DN).
mv_combo	All of the above, combined into a single field separated by '###'.
errors	Any circular references that were found.

File	Full pathname of the source file where the logging call was made.
Level	Level of the logging call that was made; one of critical, error, warning, info, or debug.
Line	Line number in the source file where the logging call was made.
Pid	ID of the process that made the logging call.
log_source	String of the form "Pid=<Pid>, File=<File>, Line=<Line>".
message	Full text of the logged message.