[ldapsearch-command]
syntax = ldapsearch \
    search=<string> \
    (domain=<string>)? \
    (attrs=<string>)? \
    (basedn=<string>)? \
    (scope=base|one|sub)? \
    (decode=<bool>)? \
    (limit=<int>)? \
    (debug=<bool>|logging_level=critical|error|warning|info|debug)?
shortdesc = Opens a connection to an ldap server, binds, and performs a search using specified options.
description =  This command opens a connection to an ldap server. It then performs a search using the specified \
    options and generates one event per result entry. The ldapsearch command must appear at the beginning of a search \
    pipeline.
comment1 = Get all attributes of all users in the default domain.
example1 = | ldapsearch search="(&(objectClass=user)(!(objectClass=computer)))"
comment2 = Get the common name (cn) and telephone number (telephoneNumber) for the Administrator (samAccountName) of the \
    default domain.
example2 = | ldapsearch search="(samAccountName=Administrator)" attrs="cn,telephoneNumber"
usage = public
appears-in = SA-ldapsearch 1.0
tags = SA-ldapsearch ldap ldapsearch
maintainer = microsoft@splunk.com
category = generating
related = ldapfetch, ldapfilter, ldapgroup, ldaptestconnection

[ldapfetch-command]
syntax = ldapfetch \
    (dn=<field>)? \
    (domain=<string>)? \
    (attrs=<string>)? \
    (decode=<bool>)? \
    (debug=<bool>|logging_level="critical"|"error"|"warning"|"info"|"debug")?
shortdesc = Augments each input event record with information for a directory object.
description = This command augments each input record with information from a directory object. The directory object \
    is identified by a specified distinguished name field.
comment1 = Get the description of any group that is a member of another group.
example1 = | ldapsearch search="(objectClass=group)" attrs="memberOf" | ldapfetch dn=memberOf attrs="cn,description"
usage = public
appears-in = SA-ldapsearch 1.0
tags = SA-ldapsearch ldap ldapfetch
maintainer = microsoft@splunk.com
category = reporting
related = ldapsearch, ldapfilter, ldapgroup, ldaptestconnection

[ldapfilter-command]
syntax = ldapfilter \
    search=<string> \
    (domain=<string>)? \
    (attrs=<string>)? \
    (basedn=<string>)? \
    (scope=base|one|sub)? \
    (decode=<bool>)? \
    (limit=<int>)? \
    (debug=<bool>|logging_level=critical|error|warning|info|debug)?
shortdesc = Joins each input event record with the results of an ldap search.
description = This command executes one ldap search per input event record, generating one output event record for \
    for each result returned. Each output event record is joined with the corresponding input event record.
comment1 = Add the telephoneNumber for all failed logons (where the logon ID is in the field cn and the domain is in the \
    field src_nt_domain).
example1 = eventtype=failed-logons | stats count by cn,src_nt_domain | ldapfilter domain=$src_nt_domain$ \
    search="(cn=$cn$)" attrs="telephoneNumber" | table count,cn,src_nt_domain,telephoneNumber
usage = public
appears-in = SA-ldapsearch 1.0
tags = SA-ldapsearch ldap ldapsearch
maintainer = microsoft@splunk.com
category = reporting
related = ldapsearch, ldapfetch, ldapgroup, ldaptestconnection

[ldapgroup-command]
syntax = ldapgroup \
    (groupdn=<field>)? \
    (domain=<string>)? \
    (decode=<bool>)? \
    (debug=<bool>|logging_level=critical|error|warning|info|debug)?
shortdesc = Augments input event records with fields containing group membership information.
description = This command adds group membership information to each input event record. The group is identified by \
    a specified distinguished name field.
comment1 = Expand all groups in the domain splunk.com and display the group name and members.
example1 = | ldapsearch domain=splunk.com search="(objectClass=group)" attrs="cn,distinguishedName" | ldapgroup | \
    table cn, member_dn, member_type
usage = public
appears-in = SA-ldapsearch 1.0
tags = SA-ldapsearch ldap ldapgroup
maintainer = microsoft@splunk.com
category = reporting
related = ldapsearch, ldapfetch, ldapfilter, ldaptestconnection

[ldaptestconnection-command]
syntax = | ldaptestconnection (domain=<string>)? (debug=<bool>|logging_level=critical|error|warning|info|debug)?
shortdesc = Tests the connection to the directory service for a domain.
description = This command tests the connection to each of the hosts servicing the ldap directory identified by domain.\
    It must be placed at the beginning of a search pipeline.
example1 = | ldaptestconnection domain="splunk.com"
usage = public
appears-in = SA-ldapsearch 2.0.1
tags = SA-ldapsearch ldap ldaptestconnection
maintainer = microsoft@splunk.com
category = generating
related = ldapsearch, ldapfetch, ldapfilter, ldapgroup