LDAP Parser Options File

Caution: RSA strongly suggests that you do not subscribe to the options file. Subsequent downloads of this file will overwrite all changes that you have made to the file.

Note the following:

  • If you deploy the options file, it can be found in the same directory as parsers: /etc/netwitness/ng/parsers/.
  • The parser is not dependent upon the options file. The parser will load and run even in the absence of the options file. The options file is only required if you need to change the default settings.
  • If you do not have an options file (or if your options file is invalid), the parser uses the default settings.

Note: The parser will never use both the defaults and customized options. If the options file exists and its contents can be loaded, then the defaults will not be used at all.

By default, the LDAP parse only parses the username and password if the port is 389. The options file allows parsing from any specified port, as well as some other configuration.

The LDAP_options file contains the following options for controlling the parser:

  • ports
  • idOnly
  • parseResponses

To change an option from false to true, edit the line inside the corresponding function, from

return false


return true

And similarly to go from true to false.


Default value: "389, 686"

Specifies the ports on which to look for LDAP sessions. The value should be a comma or space delineated list of port numbers. For example:

"389, 686"

LDAP sessions on ports other than those listed will not be identified, nor parsed.


Default value: false

If enabled, LDAP sessions will be identified but no meta will be extracted. This may improve overall system performance.

If enabled, the parseResponses option is ignored.

Note: Modifying this option requires a service restart to take effect; a simple parser reload is insufficient.


Default value: false

By default, meta is not extracted from LDAP responses. If you enable this option (set its value to true), meta will be extracted from LDAP responses. Note that this will result in a greater amount of meta, and may decrease overall system performance.

If enabled, the meta goes to ldap.response, which is a non-standard key.