000024716 - Unable to list users in multiple domain Active Directory configured for global catalog binds with RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024716
Applies ToRSA ClearTrust 5.5 Authorization Server (AServer)
Microsoft Windows 2000 Server SP4
Microsoft Windows Server 2003
Microsoft Active Directory
Active Directory Global Catalog
IssueUnable to list users in multiple domain Active Directory configured for global catalog binds with RSA ClearTrust
Users in the local domain are able to be listed, but when attempting to list users in the Global Catalog, no users are found. If search profiling is enabled in the eserver.conf file, it can be determined that Global Catalog users are being returned on the Global Catalog bind.
CauseIf an attempt is made to query for the users in the local domain using an incorrect user.basedn, Active Directory will return the following error message:

error=A referral was returned from the server.~~  -- Extended Error --- LDAP Provider : 0000202B: RefErr: DSID-031006D9, data 0, 1 access points

If LDAP referrals are enabled, some users may be returned on the 389 bind instead of the 3268 port. LDAP referrals are not required for Global Catalog access, and enabling them is not recommended. See http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/distrib/dsbc_nar_bsad.asp for more information.
If the user.basedn setting is pointed to a DN component that is valid for the domain, but out of scope for the local domain controller where ClearTrust is binding then ClearTrust will not display users from the Global Catalog. Setting the user.basedn to a valid DN resolves this issue (NOTE: Setting the user.basedn to a dummy value also works because the error message returned is different). For example, if the ClearTrust datastore is installed on the dc=lab,dc=rsasecurity,dc=com domain, then a user.basedn of dc=rsasecurity,dc=com is incorrect. In practice especially when using a Global Catalog installation the user.basedn should be constrained to a container and not to the root DN in order to reduce the search scope. In most AD installations the default location of cn=users, dc=lab,dc=rsasecurity,dc=com is satisfactory.
ResolutionTo correct this issue, ensure that the cleartrust.data.ldap.user.basedn value points to a valid DN on the local domain controller where the port 389 or 636 binds are configured. When ClearTrust is configured in Active Directory Global Catalog mode, user searches are normally done through the Global Catalog bind using the basedn defined in the cleartrust.data.ldap.auxuser.basedn parameter, but both user.basedn values must be valid. The user.basedn should be directed to a specific container so that the entire domain is not searched. The default value of the CN=users container is recommended.
Legacy Article IDa22204