On Срд, 07 жні 2024, Matt Trimboli via FreeIPA-users wrote:
So I can make useful ldap queries and lovely Splunk dashboards so I'm
interested in making useful ldap queries that a Splunk add-on
(SA-ldapsearch) can consume. Even though it's called ldapsearch, it's
really meant for AD, but it almost works with IPA. Right now I can't
get past the configuration screen where it tests the connection. There
are no errors in the IPA ldap logs but on the Splunk side it complains
that
"Result: distinguishedName: undefined"
Some quick comparisons showed me that IPA calls the attribute 'dn' and
AD has both 'dn' and 'distinguishedName'. My guess is that if IPA gave
this Splunk plugin the distinguishedName attribute in the result, it
would let me proceed (until the next error, possibly.)
Can anyone point me toward the easiest way to try this? compat plugin?
something easier? I don't yet have experience tweaking the schema, but
I'm willing to learn.
I don't think you can do anything with it other than asking Splunk to
expect 'dn' or 'distinguishedName' in the output.
'distinguishedName' is an alias to 'dn' attribute. It is pretty much
fundamental attribute in LDAP and 389-ds handles it without a problem:
-------------------------------------------------
$ ldapsearch -H ldap://ipa.demo1.freeipa.org -x -b dc=demo1,dc=freeipa,dc=org
'(uid=admin)' distinguishedName
# extended LDIF
#
# LDAPv3
# base <dc=demo1,dc=freeipa,dc=org> with scope subtree
# filter: (uid=admin)
# requesting: distinguishedName
#
# admin, users, accounts, demo1.freeipa.org
dn: uid=admin,cn=users,cn=accounts,dc=demo1,dc=freeipa,dc=org
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
------------------------------------------------
However, 389-ds returns you a primary name of the attribute because
that's how it supposed to be. It accepts an aliased name in the search.
I guess this plugin is written with assumption that if certain attribute
was asked by a specific name, distinguishedName, then a result is
returned with this name, instead of the attribute's primary name. This
is not defined in the set of LDAP specifications. In fact,
https://www.rfc-editor.org/rfc/rfc4517#section-3.3.9 only defines an
attribute 'DN' with the LDAP-specific encoding of 'distinguishedName'
rule from the string representation of the distinguished names from
RFC4514. In LDAP RFC there is no attribute named 'distinguishedName' but
it is a common use that 'dn' and 'distinguishedName' are aliases in LDAP
queries.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
