- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Splunk Support for Active Directory: How to search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Support for Active Directory: How to search multiple basedns with ldapsearch?
Hello Splunkers,
I am working to build an LDAP search to list out all machines within a basedn. The problem is that the machines are spread out within multiple basedn=paths and not necessarily in a hierarchical order. I am finding that I need to specify exact statements to locate the systems.
I am able to query successfully within one DN but I am not yet able to specify multiple paths to look in for hostnames.
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_ET_UnblockAllowed,OU=Winx,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
The search above returns results, but when I try and add another basedn, the search just stalls out.
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" AND basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
What am I missing?
Thanks,
Lindsay
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since ldapsearch by default does a subtree search you could just use basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" since that would cover both of the subtrees.
Also just dealing with LDAP your search can be simplified slightly to (&(objectClass=user)(objectClass=computer))
If you're wanting two subtrees but not others, you might be able to have a search filter that does some matching against the dn, offhand I think that'd look something like - EDIT: apparently wildcards in filters against DNs do not work at least with Active Directory: https://msdn.microsoft.com/en-us/library/ms684431(v=vs.85).aspx(&(objectClass=user)(objectClass=computer)(dn=*,OU=*_UnblockAllowed,*)) but I'd want to try it out in a LDAP GUI like Apache Directory Studio
Putting it all together, would this work?
| ldapsearch search="(&(objectClass=user)(objectClass=computer))" attrs="cn,objectCategory" basedn="OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | table cn
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not too familiar with the ldap search command, but you could try running a sub search or the mulitsearch command
| ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" | append [ search | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn
OR
| multisearch [search | ldapsearch search="(&(objectClass=user)(&(objectClass=computer)))" attrs="cn,objectCategory" basedn="OU=W8_et_UnblockAllowed,OU=Win8,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ] [ search | ldapsearch | basedn="OU=W7_te_UnblockAllowed,OU=Win7,OU=Workstations,OU=Machines,DC=global,DC=company,DC=com" ]| table cn
Those should work the difference between these two search is that multiple search simultaneously and the first is a sub search which run serially.
Hop this helps. Dont forget to accept answer to help with with similar questions.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
