I currently have SA-ldapsearch v1.1.13 running on a search head with Splunk v6.5.2
I have a saved ldapsearch using `search="(&(objectclass=user)(!(objectClass=computer)))"` with a list of around 50 attributes to populate a lookup table. The search usually takes about 2 minutes to complete, which I think is fine considering the amount of data being queried and returned.
I stood up another search head with Splunk v6.6.1 and SA-ldapsearch v2.1.4 and I'm in the process of migrating a series of saved searches over including the ldap search mentioned above and I'm having a few issues.
I believe configuration was done correctly according to the ldaptestconnection search that runs successfully and everything matches up with the configuration from the older version with the exception of the older version server config using 3 DCs and the new version only allowing for 1 server per domain.
Issue #1 is when I run the exact same search on the newer app/search head it gets an error for invalid attribute types that are definitely present when the search is run on the older app/search head.
Issue #2 is once I remove the invalid attribute types listed and run the search, it seems like it will never complete. As mentioned above the search in question takes 2 minutes on the old search head while currently I have a backgrounded search thats been running for an hour at the time of this post with 0% completion.
Now here's the weird thing, I ran the same search using around 15 attributes of the original 50 on the new search head and it took about 25 minutes to complete but it did actually complete and return results.
Is there something I'm missing regarding the configuration on the new app thats causing these performance issues? I'm thinking it has something to do with the fact that I can only list one DC in the hostname field in the configuration of the new version of the app while the old version has 3 listed but I can't seem to find any documentation for the new version regarding using multiple servers to confirm my suspicion.
For those curious here is the (sanitized) search I'm running:
| ldapsearch domain=DOMAIN search="(&(objectclass=user)(!(objectClass=computer)))" attrs="accountExpires,badPasswordTime,badPwdCount,c,cn,co,codePage,company,countryCode,department,departmentNumber,description,displayName,distinguishedName,division,dn,employeeID,employeeType,givenName,homeDirectory,homeDrive,homePhone,host,info,initials,instanceType,ipPhone,l,lastLogoff,lastLogon,lastLogonTimestamp,lockoutTime,logonCount,mAPIRecipient,mDBUseDefaults,mail,mailNickname,manager,middleName,mobile,name,objectCategory,objectClass,objectGUID,objectSid,otherFacsimileTelephoneNumber,otherMobile,otherTelephone,pager,physicalDeliveryOfficeName,postOfficeBox,postalCode,primaryGroupID,proxyAddresses,pwdLastSet,replicatedObjectVersion,sAMAccountName,sAMAccountType,scriptPath,servicePrincipalName,showInAdvancedViewOnly,sn,source,sourcetype,st,streetAddress,telephoneAssistant,telephoneNumber,title,uSNChanged,uSNCreated,uid,userAccountControl,userPrincipalName,wWWHomePage,whenChanged,whenCreated"
| eval is_disabled=if(match(userAccountControl,"ACCOUNT_DISABLED"),"X","")
| eval is_person=if(match(objectClass,"organizationalPerson"),"X","")
| rex field=manager "(?<=CN=)(?.*?)(?=,OU)"
| eval manager=replace(manager,"\\\\","")
| fields - _raw - host - source
| eval sAMAccountName=lower(sAMAccountName)
| eval mail=lower(mail)
| outputlookup append=false create_empty=false createinapp=true lookup_table.csv
And the invalid attribute types it lists are source, sourcetype, dn, but as I stated this search runs fine returning those attributes on the old app version/search head.
↧