000033564 - How to check the connectivity and response time of an Identity source for RSA Authentication Manager 8.1

Document created by RSA Customer Support Employee on Jul 19, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000033564
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1
 
IssueTo Troubleshoot Identity source Issues, It may be needed to check the connectivity to the Identity source, and its response time from the AM server.
ResolutionThe connectivity to an Identity source can be checked by following the below steps:
1- Open an SSH session to the AM server.
2- Run the below command:
 
# ldapsearch -LLL  -H <DC connection> -x  -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName
e.g:
# ldapsearch -LLL  -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x  -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName

If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local
sAMAccountName: newuser
# pagedresults: cookie=

If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
        additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)


The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL  -H <DC connection> -x  -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName
e.g:
# time ldapsearch -LLL  -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x  -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName

the response time is the highlighted value beside "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local
sAMAccountName: newuser
# pagedresults: cookie=
real    0m0.010s
user    0m0.000s
sys     0m0.000s
NotesWhen trying to connect using LDAPS (usually on port 636) instead of LDAP (usually port 389), you may get the below error if the LDAP certificate used is not signed by a CA trusted on the AM server.
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)

The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
 
# export LDAPTLS_REQCERT=never
# time ldapsearch -LLL  -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x  -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName

Attachments

    Outcomes