All Apps and Add-ons

Splunk Support for Active Directory: Why does my search return results when specific sAMAccountName is given but not when removed?

ryandg
Communicator

I am trying to pull a list of all users yet when I run:

|ldapsearch domain=BLAH search="(objectClass=user)" attrs="sAMAccountName,givenName" 

it fails.

But if I run:

|ldapsearch domain=BLAH search="(&(objectClass=user)(sAMAccountName=user123))" attrs="sAMAccountName,givenName" 

It succeeds. Is there a timeout specification I need to add or something? The first query just says "no results" and says nothing
about any errors.

Any ideas?

0 Karma

javiergn
SplunkTrust
SplunkTrust

Hi,

I can't explain why your first query doesn't work. It does work fine for me when I use exactly the same syntax.
What about the following alternative that filters out computers from the results and should provide you with the same functionality you are looking for?

| ldapsearch domain=BLAH search="(&(objectclass=user)(!(objectClass=computer)))" attrs="sAMAccountName,givenName"

Thanks,
J

0 Karma

ryandg
Communicator

This does the same thing as just objectClass unfortunately 😞

0 Karma

javiergn
SplunkTrust
SplunkTrust

What about limiting the number of accounts?

|ldapsearch domain=BLAH search="(objectClass=user)" limit=100 attrs="sAMAccountName,givenName" 

It might be timing out as you said

0 Karma

ryandg
Communicator

Yup -- that caused it to return results. However, now how do I change it so that it doesn't timeout on the larger query? Is the timeout something on the app side or is that on the domain controller side? It's strange because it used to run for ~hour without timing out and would return the tens of thousands of users I need it to but now it seems to just time out.

0 Karma

javiergn
SplunkTrust
SplunkTrust

See if the following helps: https://answers.splunk.com/answers/329748/how-do-i-improve-ldapsearch-performance.html

If your query takes 1 hour o more I would try some alternatives anyway:

  • See if you can be more specific in you ldap search filter. Maybe you can specify a base DN or filter out expired or disabled accounts, do not return object types you don't need such as computer or group, etc.
  • Connect to a different domain controller and see if that helps.
  • If you don't mind not having real-time ldap reporting I did use the following in the past and works great: 1.Schedule a scripted input that runs a PowerShell job every day (or whichever frequency you want) to export all your AD users and attributes into a csv 2.Create a CSV lookup in Splunk that uses the Users.csv created above 3.Stop using ldapsearch and enjoy your newer and faster (but not real-time) lookup
0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...