- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to LDAPGROUP filter by MEMBER_TYPE?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am successfully using some simple LDAPSEARCH + LDAPGROUP searches to produce membership lists for various AD groups.
Ex.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup
| table cn,member_name,member_type
The searches work, but always show me all possible membership types (DIRECT, NESTED, etc.)
I would like to filter my end results so that only DIRECT members are returned.
I've tried inserting a | WHERE clause after the LDAPGROUP or final table command, but it just returns an empty set.
I'm clearly not quite understanding how to pipeline output correctly. Any help is much appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That table should have been in the OP since it clarifies the problem. It appears that ldapgroup creates multivalue fields that standard where/search operators can't handle. The solution is to expand the multivalue fields before filtering them. To retain the relationship between member_name and member_type, we'll use mvzip to pair them up before expanding them.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup
``` Combine member_name and member_type
| eval member_name_type=mvzip(member_name, member_type, "#")
``` Put each member into a separate event ```
| mvexpand member_name_type
``` Break the member field apart again ```
| eval member_name_type = split(member_name_type, "#")
| eval member_name=mvindex(member_name_type,0), member_type=mvindex(member_name_type,1)
| where member_type="DIRECT"
| table cn,member_name,member_type
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What where command have you used? It should be something like this.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup
| where member_type="DIRECT"
| table cn,member_name,member_typeHave you tried a search command?
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup
| search member_type="DIRECT"
| table cn,member_name,member_typeIf both of those fail then perhaps the ldapgroup command is unable to get the member_type information. Try enabling logging to see what is happening.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup debug=1 logging_level=DEBUG
| table cn,member_name,member_typeThen search
index=_internal source=*SA-ldapsearch.logIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @richgalloway ,
As I understand it, LDAPGROUP is what is generating the MEMBER_TYPE information.
https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.7/User/Theldapgroupcommand
From your suggestions, I tried both
- | ldapgroup | where member_type="DIRECT"
- | ldapgroup | search member_type="DIRECT"
and both of them produce the same result as my original search - one nicely formatted row showing the group in one column and all of the group members in the other column - both DIRECT and NESTED.
| cn | member_name | member_type |
Remote Desktop Users
| Finance Sales Fred Sam Joe Ted | DIRECT |
My guess is that both SEARCH and WHERE are operating on the initial LDAPSEARCH operation. The group itself has matching member_type data. The searches are all working, and nothing fails, so there doesn't appear to be anything illuminating in the debug log.
I imagine I could REGEX the field to delete the unwanted entries from the view, but that seems like an odd workaround since LDAPGROUP is producing member_type data.
I'm still just shy of having this work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That table should have been in the OP since it clarifies the problem. It appears that ldapgroup creates multivalue fields that standard where/search operators can't handle. The solution is to expand the multivalue fields before filtering them. To retain the relationship between member_name and member_type, we'll use mvzip to pair them up before expanding them.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| table cn,distinguishedName
| ldapgroup
``` Combine member_name and member_type
| eval member_name_type=mvzip(member_name, member_type, "#")
``` Put each member into a separate event ```
| mvexpand member_name_type
``` Break the member field apart again ```
| eval member_name_type = split(member_name_type, "#")
| eval member_name=mvindex(member_name_type,0), member_type=mvindex(member_name_type,1)
| where member_type="DIRECT"
| table cn,member_name,member_type
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much for the coaching on the multivalue functions. I had never used any of those before.
Your code suggestions for mvzip/mvexpand/mvindex worked exactly as described.
This solution has the advantage of being able to generalize to many other scenarios.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It turns out that there is a different, but closely related technique for getting to the same result, if all you are interested in is the narrow goal of listing AD group direct membership.
Instead of using LDAPGROUP, use the LDAPFETCH function.
| ldapsearch search="(&(objectClass=Group)(cn=Remote Desktop Users)"
| mvexpand member
| ldapfetch dn=member attrs="cn"
| table cnThis returns the direct members of the group using their CN or any alternate attribute.
It leaves me wondering what the best cases are for using the LDAPGROUP function. The official documentation on it is fairly light and I was only able to find a small handful of examples online.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your problem is resolved, then please click the "Accept as Solution" button to help future readers.
If this reply helps you, Karma would be appreciated.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
