elastic · marc-gr · Nov 26, 2025 · Nov 26, 2025 · Dec 1, 2025 · Dec 1, 2025
diff --git a/changelog/fragments/1764010000-translate-ldap-guid-inference.yaml b/changelog/fragments/1764010000-translate-ldap-guid-inference.yaml
@@ -0,0 +1,45 @@
+# REQUIRED
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: enhancement
+
+# REQUIRED for all kinds
+# Change summary; a 80ish characters long description of the change.
+summary: Add GUID translation, base DN inference, and SSPI authentication to LDAP processor.
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# description:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# impact:
+
+# REQUIRED for breaking-change, deprecation, known-issue
+# action:
+
+# REQUIRED for all kinds
+# Affected component; usually one of "elastic-agent", "fleet-server", "filebeat", "metricbeat", "auditbeat", "all", etc.
+component: libbeat
+
+# AUTOMATED
+# OPTIONAL to manually add other PR URLs
+# PR URL: A link the PR that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/beats/pull/47827
+
+# AUTOMATED
+# OPTIONAL to manually add other issue URLs
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+# issue: https://github.com/owner/repo/1234
@@ -6,27 +6,27 @@ applies_to:
   stack: ga
 ---
 
-# Translate GUID [processor-translate-guid]
+# Translate LDAP Attribute [processor-translate-ldap-attribute]
 
+The `translate_ldap_attribute` processor translates LDAP attributes into friendlier values. The typical use case is converting an Active Directory Global Unique Identifier (GUID) into a human-readable name (for example the object's `cn`).
 
-The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object's name and these values sometimes appear in logs.
 
-Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
-
-If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+If the search attribute is invalid (malformed) or does not map to any object on the domain the processor returns an error unless `ignore_failure` is set.
 
 The result of this operation is an array of values, given that a single attribute can hold multiple values.
 
-Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+Note: the search attribute is expected to map to a single object. If multiple entries match, only the first entry's mapped attribute values are returned.
 
 ```yaml
 processors:
   - translate_ldap_attribute:
       field: winlog.event_data.ObjectGuid
-      ldap_address: "ldap://"
-      ldap_base_dn: "dc=example,dc=com"
       ignore_missing: true
       ignore_failure: true
+      # ldap_domain: "example.com"  # Optional - override auto-discovered domain for DNS SRV queries
+      # ldap_address: "ldap://ds.example.com:389"  # Optional - resolve via DNS SRV/LOGONSERVER when omitted
+      # ldap_base_dn: "dc=example,dc=com"  # Optional - discovered via rootDSE or inferred from server domain
 ```
 
 The `translate_ldap_attribute` processor has the following configuration settings:
@@ -35,18 +35,38 @@ The `translate_ldap_attribute` processor has the following configuration setting
 | --- | --- | --- | --- |
 | `field` | yes |  | Source field containing a GUID. |
 | `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
-| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
-| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
-| `ldap_bind_user` | no |  | LDAP user. |
-| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_domain` | no |  | DNS domain name for DNS SRV lookups (e.g., `example.com`). When omitted, the domain is auto-discovered from the `USERDNSDOMAIN` environment variable (Windows) or the hostname's domain suffix. This setting is used only when `ldap_address` is not provided. |
+| `ldap_address` | no |  | LDAP server address (eg: `ldap://ds.example.com:389`). If not provided, auto-discovery will be attempted via DNS SRV records and, on Windows, the LOGONSERVER environment variable. |
+| `ldap_base_dn` | no |  | LDAP base DN (eg: `dc=example,dc=com`). If not provided, auto-discovery will be attempted via rootDSE query or inferred from the server domain. |
+| `ldap_bind_user` | no |  | LDAP user. If both `ldap_bind_user` and `ldap_bind_password` are omitted, the processor will attempt Windows SSPI authentication (on Windows) using the current process user's credentials, or fall back to an unauthenticated bind. |
+| `ldap_bind_password` | no |  | LDAP password. If both `ldap_bind_user` and `ldap_bind_password` are omitted, the processor will attempt Windows SSPI authentication (on Windows) using the current process user's credentials, or fall back to an unauthenticated bind. |
 | `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
 | `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
 | `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
-| `ldap_ssl`\* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ldap_ssl`* | no |  | LDAP TLS/SSL connection settings. See [SSL](/reference/auditbeat/configuration-ssl.md). |
+| `ad_guid_translation` | no | `auto` | Controls GUID binary conversion for Active Directory attributes. `auto` (default) converts when the LDAP search attribute equals `objectGUID` (case-insensitive). Use `always` to force conversion or `never` to disable it. |
 | `ignore_missing` | no | false | Ignore errors when the source field is missing. |
 | `ignore_failure` | no | false | Ignore all errors produced by the processor. |
 
-\* Also see [SSL](/reference/auditbeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+## Server auto-discovery
+
+When `ldap_address` is omitted the processor attempts to discover controllers in the following order:
+
+1. DNS SRV lookups for `_ldaps._tcp` (preferred) and `_ldap._tcp` using the system's native DNS resolver. The processor queries multiple patterns:
+  - `_ldap._tcp.dc._msdcs.<domain>` (Active Directory domain controllers)
+  - `_ldap._tcp.<domain>` (standard domain lookup)
+  - If no domain is available, bare queries like `_ldap._tcp` which automatically use the system's DNS search suffix configuration (works on Windows, Linux, and macOS)
+
+  The domain used for DNS SRV lookups is determined from:
+  - The `ldap_domain` configuration option (highest priority)
+  - Operating-system domain metadata (for example session environment values or Windows domain-join settings)
+  - The host's fully qualified name when available
+  - Reverse DNS lookup of the local machine as a last resort
+
+  **Note:** The processor uses Go's standard library `net.LookupSRV()` which leverages the operating system's native DNS resolver. On Windows, this automatically reads DNS servers and search suffixes from the Windows registry, making autodiscovery work correctly even when running as a service without environment variables. SRV records are automatically ordered by priority with weight-based randomization per RFC 2782 to distribute load across available servers.
+2. On Windows, the `LOGONSERVER` environment variable. The processor keeps the hostname for TLS validation and may also try the resolved IP as a fallback.
+
+Each candidate server is tried sequentially until one responds. Likewise, if `ldap_base_dn` is not supplied the client queries the server's rootDSE for `defaultNamingContext`/`namingContexts`, and if that fails, infers the DN from the server's domain name (for example `dc=example,dc=com`).
 
 If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
 
@@ -78,4 +98,3 @@ processors:
             key_field: winlog.event_data.ObjectGuid
             value_field: winlog.common_name
 ```
-
@@ -6,27 +6,27 @@ applies_to:
   stack: ga
 ---
 
-# Translate GUID [processor-translate-guid]
+# Translate LDAP Attribute [processor-translate-ldap-attribute]
 
+The `translate_ldap_attribute` processor translates LDAP attributes into friendlier values. The typical use case is converting an Active Directory Global Unique Identifier (GUID) into a human-readable name (for example the object's `cn`).
 
-The `translate_ldap_attribute` processor translates an LDAP attributes between eachother. It is typically used to translate AD Global Unique Identifiers (GUID) into their common names.
+Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object's name and these values sometimes appear in logs.
 
-Every object on an Active Directory or an LDAP server is issued a GUID. Internal processes refer to their GUID’s rather than the object’s name and these values sometimes appear in logs.
-
-If the search attribute is invalid (malformed) or does not map to any object on the domain then this will result in the processor returning an error unless `ignore_failure` is set.
+If the search attribute is invalid (malformed) or does not map to any object on the domain the processor returns an error unless `ignore_failure` is set.
 
 The result of this operation is an array of values, given that a single attribute can hold multiple values.
 
-Note: the search attribute is expected to map to a single object. If it doesn’t, no error will be returned, but only results of the first entry will be added to the event.
+Note: the search attribute is expected to map to a single object. If multiple entries match, only the first entry's mapped attribute values are returned.
 
 ```yaml
 processors:
   - translate_ldap_attribute:
       field: winlog.event_data.ObjectGuid
-      ldap_address: "ldap://"
-      ldap_base_dn: "dc=example,dc=com"
       ignore_missing: true
       ignore_failure: true
+      # ldap_domain: "example.com"  # Optional - override auto-discovered domain for DNS SRV queries
+      # ldap_address: "ldap://ds.example.com:389"  # Optional - resolve via DNS SRV/LOGONSERVER when omitted
+      # ldap_base_dn: "dc=example,dc=com"  # Optional - discovered via rootDSE or inferred from server domain
 ```
 
 The `translate_ldap_attribute` processor has the following configuration settings:
@@ -35,18 +35,38 @@ The `translate_ldap_attribute` processor has the following configuration setting
 | --- | --- | --- | --- |
 | `field` | yes |  | Source field containing a GUID. |
 | `target_field` | no |  | Target field for the mapped attribute value. If not set it will be replaced in place. |
-| `ldap_address` | yes |  | LDAP server address. eg: `ldap://ds.example.com:389` |
-| `ldap_base_dn` | yes |  | LDAP base DN. eg: `dc=example,dc=com` |
-| `ldap_bind_user` | no |  | LDAP user. |
-| `ldap_bind_password` | no |  | LDAP password. |
+| `ldap_domain` | no |  | DNS domain name for DNS SRV lookups (e.g., `example.com`). When omitted, the domain is auto-discovered from the `USERDNSDOMAIN` environment variable (Windows) or the hostname's domain suffix. This setting is used only when `ldap_address` is not provided. |
+| `ldap_address` | no |  | LDAP server address (eg: `ldap://ds.example.com:389`). If not provided, auto-discovery will be attempted via DNS SRV records and, on Windows, the LOGONSERVER environment variable. |
+| `ldap_base_dn` | no |  | LDAP base DN (eg: `dc=example,dc=com`). If not provided, auto-discovery will be attempted via rootDSE query or inferred from the server domain. |
+| `ldap_bind_user` | no |  | LDAP user. If both `ldap_bind_user` and `ldap_bind_password` are omitted, the processor will attempt Windows SSPI authentication (on Windows) using the current process user's credentials, or fall back to an unauthenticated bind. |
+| `ldap_bind_password` | no |  | LDAP password. If both `ldap_bind_user` and `ldap_bind_password` are omitted, the processor will attempt Windows SSPI authentication (on Windows) using the current process user's credentials, or fall back to an unauthenticated bind. |
 | `ldap_search_attribute` | yes | `objectGUID` | LDAP attribute to search by. |
 | `ldap_mapped_attribute` | yes | `cn` | LDAP attribute to map to. |
 | `ldap_search_time_limit` | no | 30 | LDAP search time limit in seconds. |
-| `ldap_ssl`\* | no | 30 | LDAP TLS/SSL connection settings. |
+| `ldap_ssl`* | no |  | LDAP TLS/SSL connection settings. See [SSL](/reference/filebeat/configuration-ssl.md). |
+| `ad_guid_translation` | no | `auto` | Controls GUID binary conversion for Active Directory attributes. `auto` (default) converts when the LDAP search attribute equals `objectGUID` (case-insensitive). Use `always` to force conversion or `never` to disable it. |
 | `ignore_missing` | no | false | Ignore errors when the source field is missing. |
 | `ignore_failure` | no | false | Ignore all errors produced by the processor. |
 
-\* Also see [SSL](/reference/filebeat/configuration-ssl.md) for a full description of the `ldap_ssl` options.
+## Server auto-discovery
+
+When `ldap_address` is omitted the processor attempts to discover controllers in the following order:
+
+1. DNS SRV lookups for `_ldaps._tcp` (preferred) and `_ldap._tcp` using the system's native DNS resolver. The processor queries multiple patterns:
+  - `_ldap._tcp.dc._msdcs.<domain>` (Active Directory domain controllers)
+  - `_ldap._tcp.<domain>` (standard domain lookup)
+  - If no domain is available, bare queries like `_ldap._tcp` which automatically use the system's DNS search suffix configuration (works on Windows, Linux, and macOS)
+
+  The domain used for DNS SRV lookups is determined from:
+  - The `ldap_domain` configuration option (highest priority)
+  - Operating-system domain metadata (for example session environment values or Windows domain-join settings)
+  - The host's fully qualified name when available
+  - Reverse DNS lookup of the local machine as a last resort
+
+  **Note:** The processor uses Go's standard library `net.LookupSRV()` which leverages the operating system's native DNS resolver. On Windows, this automatically reads DNS servers and search suffixes from the Windows registry, making autodiscovery work correctly even when running as a service without environment variables. SRV records are automatically ordered by priority with weight-based randomization per RFC 2782 to distribute load across available servers.
+2. On Windows, the `LOGONSERVER` environment variable. The processor keeps the hostname for TLS validation and may also try the resolved IP as a fallback.
+
+Each candidate server is tried sequentially until one responds. Likewise, if `ldap_base_dn` is not supplied the client queries the server's rootDSE for `defaultNamingContext`/`namingContexts`, and if that fails, infers the DN from the server's domain name (for example `dc=example,dc=com`).
 
 If the searches are slow or you expect a high amount of different key attributes to be found, consider using a cache processor to speed processing:
 
@@ -78,4 +98,3 @@ processors:
             key_field: winlog.event_data.ObjectGuid
             value_field: winlog.common_name
 ```
-