Splunk Search

LDAP lookup shell script inside python wrapper not executing in Splunk search

alexantao
Path Finder

I have a proxy that logs to my SPLUNK and send it an information (userid). With that information I need to search my LDAP server for another information (User Name) and create a new field.

The splunk configuration is done, I created a Lookup script to populate SPLUNKs tables. First, I made a simple python script that didn't search my LDAP server, just returning a sample string and it worked.

My Problem started when I decided to include the LDAP search part.

After implement the python script, I realized that splunk's python does not have LDAP module installed. So I searched and found that it would be very difficult to install that module in splunk's python.

So, trying to solve my immediate problem, I wrote another script in SHELL that uses ldapsearch command to get the information from my ldap server and made a wrapper in python so that splunk could call this SHELL script via the commands.getoutput() function.
When I execute the command on the commandline, I get no problem (see below), but inside a search in splunk I get a "No such file or directory" files in what should be the User Names on the table.
Splunk is not finding the SHELL script inside the python wrapper.

I prefer to make everything in python, but if I manage to make the shell wrapper work, It solves my problem while I can try to make the other way work.

My script's call function:

def search_ldap(client, user):
        path = '/opt/splunk/etc/apps/my_app/bin/'
        logger.info("Path: %r", path)
        cmd = 'nome_' + client.lower() + '.sh '
        nome_ldap = commands.getoutput(path + cmd + user)
        return nome_ldap

Runing from command line:

 # cat /tmp/ldap.csv | /opt/splunk/bin/splunk cmd python /opt/splunk/etc/apps/my_app/bin/nome_shell_wrapper.py parameter1
    user_id,nome_usuario
    thomas,Thomas Ribeiro

Error message on splunk's table:

sh: /opt/splunk/etc/apps/my_app/bin/nome_parameter1.sh: No such file or directory

Thanks !

0 Karma

grijhwani
Motivator

Forgive asking the obvious, but you definitely have a script at /opt/splunk/etc/apps/my_app/bin/nome_parameter1.sh which is readable and executable by the splunk user or splunk group?

What is the result of ls -ld /opt/splunk/etc/apps/my_app/bin/nome_parameter1.sh?

0 Karma

grijhwani
Motivator

How about replacing your script call with a simple "pwd; ls -ld *" to give yourself some idea of the batch environment? Splunk is clearly invoking a shell.

0 Karma

alexantao
Path Finder

In all scripts I put full path to executables. My guess was that if splunk makes some king of chroot and / to it is not the root of the system...

Here is my full nome_parameter1.sh

#!/bin/bash

STRING_PROCURA="uid=$1"
SERVIDOR="xxxxxxxxxxxx"
USER_ID="yyyyyyyyyyy"
BASE="zzzzzzzzz"

NOME=/usr/bin/ldapsearch -xh $SERVIDOR -D "uid=$USER_ID" -w pass -b $BASE $STRING_PROCURA cn |grep cn |grep -v requesting | awk -F": " '{print $2}'

echo $NOME

and it show the results I posted on the first message.

My bash and ldapsearch are on the right place.

0 Karma

grijhwani
Motivator

And what is the output when you execute it? Does it have any PATH dependencies. I'm wondering if the error message is misleading. Bear in mind that the login environment you have may be different from the batch environment that Splunk invokes.

When writing batch scripts I find it useful to expressly define the path to each executable binary I use, e.g.

PERL=/usr/bin/perl
${PERL} -e 'my perl script here'

0 Karma

alexantao
Path Finder

Yes, I have. As I posted, I can run it through the commandline and it runs with no problem.

# ls -dl /opt/splunk/etc/apps/my_app/bin/nome_parameter1.sh
-rwxr-xr-x 1 splunk root 339 Jul 17 15:26 /opt/splunk/etc/apps/my_app/bin/nome_parameter1.sh

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...