000034356 - How to write an LDAP query filter for RSA Authentication Manager for an LDAP synchronization job

Document created by RSA Customer Support Employee on Nov 30, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000034356
Applies ToRSA Product Set:  SecurID
RS Product/Service Type:  Authentication Manager
IssueThis article provides information on how to write LDAP query filters for Authentication Manager for an LDAP synchronization job and addresses issues such as when:
  • No users are found or users are missing from an LDAP synchronization job.
  • Too many users are returned from LDAP query in Authentication Manager.
ResolutionWith any LDAP synchronization, the two main issues are the base DN being correct and the LDAP query filter being syntactically correct and returning expected results.  
  • In Authentication Manager 6.1, launch Host Mode and select User > LDAP User > List Synchronizations. Highlight the job in questions and click Details.
  • Authentication Manager 7.1 and 8.x launch the Operations Console and select Deployment Configuration > Indeitiy Source > Manage Existing.  Click on the context arrow for the identity source in question and choose View or Edit.  Open the Map tab and view the Query Filter value.
 
The base DN is usually just dc=rsa, dc=com, sometimes though it can be   cn=users, dc=rsa, dc=com.
If your LDAP database has less than 1,000 users, the query filters usually are one of the following:
  • objeccategory=person
  • objectcategory=user
  • objectclass=user
  • samaccountname=*
You could also try just one name, such as samaccountname=jsmith.
 
Note that if the external identity source does not have first (givenname) or last name (sn) values populated, the query will not return any results.
 
LDAP query filters within the LDAP synch job will usually work for RSA if the same query filter worked with an LDAP browser such as Microsoft's LDP.  What we can do is take a look at the defined query filter and test your LDAP queryagainst one of the external identity sources defined to make sure if does not error out.  If the query filter works through LDP, perhaps the base DN needs to be modified.  What could be happening is you are looking in the wrong section of the LDAP tree, so no records are found.
 
If there are 1000 or more users in AD, break down your single query into multiple smaller queries, with query filters similar to one of the examples below.  Note that the following queries will retrieve users with names starting with H through M.   Note that you must overlap the letters.
 
"(&(objectclass=user)(sn>=a*)(sn<=h*))"

"(&(objectclass=user)(sn>=h*)(sn<=n*))"           

"(&(objectclass=user)(sn>=n*)(sn<=z*))" 

Troubleshooting


The error message for an issue with the query filter will be "Check the Base DN."
Look at the LDAP job [DETAILS] to troubleshoot.
The following are valid filters as described in RFC 2254:
 
OperatorNotationUsage
and& (&(objectclass=user)(sn=Doe))
or|(|(sn=Doe)(cn=John Doe))
not!(!(sn=Doe))
equal=(cn=John Doe)
present=*(sn=*) # this will get all objects that have a surname attribute
equal or greater than>=(sn>=J*)
equal or lesser than<=(sn<=J*)

You must always specify a filter when doing a query with sdaceldap.  For Novell eDirectory or iPlanet Directory Server this should be a at least a wildcard filter such as (sn=*) to find all objects with a surname (sn) attribute to limit the search to users only, or on Microsoft Active Directory this should be at least "(objectclass=user)".
To put the filter into a query, use the following as an example:
ace/utils/toolkit/sdaceldap -h ldapserver -p 389 -D "administrator@mycompany.com" -w password 
-b "OU=sales,DC=mycompany,DC=com" -s sub -d import -o output.csv -m active.map "(&(objectclass=user)(sn=Doe))"

You must put quotes around your completed LDAP filter so that sdaceldap will parse the query correctly and apply the entire filter. If you are using the GUI for automatic LDAP jobs in ACE/Server 5.1 do not include the surrounding quotes.
Multiple filters can be combined by using parentheses to group the terms.  The following search will find all objects with objectClass of Person with either a last name of Smith or a first name of John:
(&(objectClass=Person)(|(sn=Smith)(givenname=John)))

A typical query filter should contain a filter that will limit the object type to users (i. e., objectclass=user, sn=*) and may include another filter to reduce the number of records returned or to capture just the members of a particular group of users.
An Active Directory example to capture all dialup users:
(&(objectcategory=user)(msNPAllowDialin=TRUE))

Another filter to capture all members of an Active Directory group would be:
(&(objectclass=user)(memberOf=CN=SecurID,CN=Users,DC=atslab,DC=rsasecurity,DC=com))

If you are using sdldapsync in RSA ACE/Server 5.1, you will need a hot fix to use the or operator "|". Contact RSA Security Customer Support to obtain hot fix tst34482.

Attachments

    Outcomes