000029270 - How to test access to Active Directory/LDAP from IMG server

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029270
Applies ToIdentity Management and Governance
IssueIt can be helpful to try an alternative means of accessing LDAP-based data when troubleshooting issues with Active Directory collectors, connectors, and/or authentication sources
ResolutionSupported versions of Red Hat and SUSE Linux include the command line ldapsearch utility.
For example, to test retrieving users from an Active Directory server, SSH to the IMG server and execute ldapsearch:
oracle@acm-690:~> ldapsearch -h -p 389 -D administrator@2k8r2-vcloud.local -w password1 -z 1 -b 'ou=us,ou=vcloud users,dc=2k8r2-vcloud,dc=local' '(&(objectClass=User)(objectcategory=person))'
CN=Felicia\, Radi,OU=US,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
cn=Felicia, Radi
distinguishedName=CN=Felicia\, Radi,OU=US,OU=vcloud Users,DC=2k8r2-vcloud,DC=local

    -h host     ldap server
    -p port     port on ldap server
    -D binddn   bind dn
    -w passwd   bind passwd (for simple authentication)
    -z size lim size limit (in entries) for search 
    -b basedn   base dn for search  

NotesThe full list of ldapsearch options can be seen by typing ldapsearch with no options:
oracle@acm-690:~> ldapsearch
usage: ldapsearch [options] filter [attributes...]
    filter      RFC-1558 compliant LDAP search filter
    attributes  whitespace-separated list of attributes to retrieve
                (if no attribute list is given, all are retrieved)
    -n          show what would be done but don't actually search
    -v          run in verbose mode (diagnostics to standard output)
    -t          write values to files in /tmp
    -u          include User Friendly entry names in the output
    -A          retrieve attribute names only (no values)
    -B          do not suppress printing of non-ASCII values
    -L          print entries in LDIF format (-B is implied)
    -X          print entries in XML format
    -R          do not automatically follow referrals
    -d level    set LDAP debugging level to `level'
    -F sep      print `sep' instead of `=' between attribute names and values
    -S attr     sort the results by attribute `attr'
    -f file     perform sequence of searches listed in `file'
    -b basedn   base dn for search
    -s scope    one of base, one, or sub (search scope)
    -a deref    one of never, always, search, or find (alias dereferencing)
    -l time lim time limit (in seconds) for search
    -z size lim size limit (in entries) for search
    -D binddn   bind dn
    -w passwd   bind passwd (for simple authentication)
    -h host     ldap server
    -p port     port on ldap server
    -W Wallet   Wallet location
    -P Wpasswd  Wallet Password
    -U SSLAuth  SSL Authentication Mode
    -q          prompt for simple bind password
    -Q          prompt for SSL wallet password
    -E charset  Character Set Encoding
    -M          send ManageDsaIT control to server
    -G          send RequiredAttribute control to server
    -C          send connectBy control to server
    -T [-]sort_attr     send serverSort control to server
    -j page_size        send Paging control to server