|Applies To||RSA Product Set: SecurID|
RS Product/Service Type: Authentication Manager
|Issue||This article provides information on how to write LDAP query filters for Authentication Manager for an LDAP synchronization job and addresses issues such as when:|
|Resolution||With any LDAP synchronization, the two main issues are the base DN being correct and the LDAP query filter being syntactically correct and returning expected results. |
The base DN is usually just dc=rsa, dc=com, sometimes though it can be cn=users, dc=rsa, dc=com.
If your LDAP database has less than 1,000 users, the query filters usually are one of the following:
Note that if the external identity source does not have first (givenname) or last name (sn) values populated, the query will not return any results.
LDAP query filters within the LDAP synch job will usually work for RSA if the same query filter worked with an LDAP browser such as Microsoft's LDP. What we can do is take a look at the defined query filter and test your LDAP queryagainst one of the external identity sources defined to make sure if does not error out. If the query filter works through LDP, perhaps the base DN needs to be modified. What could be happening is you are looking in the wrong section of the LDAP tree, so no records are found.
If there are 1000 or more users in AD, break down your single query into multiple smaller queries, with query filters similar to one of the examples below. Note that the following queries will retrieve users with names starting with H through M. Note that you must overlap the letters.
The error message for an issue with the query filter will be "Check the Base DN."
Look at the LDAP job [DETAILS] to troubleshoot.
The following are valid filters as described in RFC 2254:
You must always specify a filter when doing a query with sdaceldap. For Novell eDirectory or iPlanet Directory Server this should be a at least a wildcard filter such as (sn=*) to find all objects with a surname (sn) attribute to limit the search to users only, or on Microsoft Active Directory this should be at least "(objectclass=user)".
To put the filter into a query, use the following as an example:
ace/utils/toolkit/sdaceldap -h ldapserver -p 389 -D "firstname.lastname@example.org" -w password
You must put quotes around your completed LDAP filter so that sdaceldap will parse the query correctly and apply the entire filter. If you are using the GUI for automatic LDAP jobs in ACE/Server 5.1 do not include the surrounding quotes.
Multiple filters can be combined by using parentheses to group the terms. The following search will find all objects with objectClass of Person with either a last name of Smith or a first name of John:
A typical query filter should contain a filter that will limit the object type to users (i. e., objectclass=user, sn=*) and may include another filter to reduce the number of records returned or to capture just the members of a particular group of users.
An Active Directory example to capture all dialup users:
Another filter to capture all members of an Active Directory group would be:
If you are using sdldapsync in RSA ACE/Server 5.1, you will need a hot fix to use the or operator "|". Contact RSA Security Customer Support to obtain hot fix tst34482.