000036645 - How to troubleshoot the LDAP Users in RSA Archer

Document created by RSA Customer Support Employee on Oct 29, 2018Last modified by RSA Customer Support Employee on Oct 29, 2018
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000036645
Applies ToRSA Product Set: RSA Archer Suite
RSA Product/Service Type: RSA Archer (On-Premise)
RSA Version/Condition: 6.3.x and 6.4.x
Platform: Windows
 
IssueThe purpose of this article is to explain how to troubleshoot the LDAP Users/Groups in Archer.
This Article covers:
  1. Troubleshooting LDAP Users using the Microsoft Debug view 
  2. Troubleshooting LDAP Users/Groups using the TestLDAPSchem page
Resolution

  1. Troubleshoot the LDAP Users using the Microsoft Debug view



  • You can use the Microsoft Debug view tool to troubleshoot LDAP users in Archer.

          This tool is free can be downloaded from the following link: https://docs.microsoft.com/en-us/sysinternals/downloads/debugview


  • Extract the zip file and install the Microsoft Debug view tool 
  • Before running the Microsoft Debug view tool, you will need to find out the "Process ID" of the process performing LDAP Sync:
    • Open Windows Task Manager and click on the Details Tab
    • The name of the LDAP Sync Process is called "Archer.Services.DataFeedService.exe"
    • Note down the Process ID from the PID column (in this case 3084)

User-added image


  • Open the Microsoft Debug view tool
  • Go to Filter (funnel icon within Debug view) and open the filter. By default, the filter uses the "*" (wild card) under the section "Include" to capture information on all running processes in Windows.

User-added image


  • Since we want to capture only the LDAP Sync process we will filter the Microsoft Debug view tool to capture only the LDAP Sync process. Under the section "Include" we will need to use this filter [LDAP Sync process ID] then click ok.

             User-added image



 


  • Then click Capture and enable Capture Global Win32

                         User-added image


  • Then the output will appear like the example shown below which shows LDAP service capturing normal traffic. If there were errors with LDAP traffic, these may appear as well.

 User-added image


  • Once a new LDAP username is added to Active Director and the LDAP Sync runs in the Archer. Then the new LDAP username will show 

User-added image



  1. Troubleshoot the LDAP Users/Groups using the TestLDAPSchem page


When you configure LDAP in Archer, you may use a filter to pull out LDAP Users/Groups. Archer comes with the "TestLDAPSchema.aspx" tool and tool can be found at "..\Program Files\RSA Archer\Tools\Utilities\LdapTestPage". The tool can be used to test the LDAP configuration before actually running it in Archer. In addition, the tool can be used to check the LDAP Users/Groups filter. For instance, if you are unable to pull LDAP Users/Groups into Archer then this tool can be used to test and verify your filter.  Here is how you use the "TestLDAPSchema.aspx" tool

  • Navigate to C:(root directory may vary)\Program Files\RSA Archer\Tools\Utilities\LdapTestPage

User-added image


  • Copy the "TestLDAPSchema.aspx" file into Web Server
  • Navigate to the Web Server and go to C: (root directory may vary)\inetpub\wwwroot\RSAarcher 
  • Paste the "TestLDAPSchema.aspx" file to this directory 

User-added image


  • Log in to Archer (you must have established a session for this to work - login to Archer first) 
  • Go to Archer Control Panel and find out the Base URL of the Archer instance, copy it to the text file then add/append the "TestLDAPSchema.aspx" to the Base URL. For instance, if your Archer Base URL is https://Server_name/RSAarcher then append the "TestLDAPSchema.aspx" and it will be  https://Server_name/RSAarcher/TestLDAPSchema.aspx
  • Then past it into the browser and this will bring up the TestLDAPSchema page:

User-added image


  • You will need the following::
    • Login to Archer UI
    • In Archer navigate to: Administration > Access Control> Manage LDAP Configurations 
    • Hover your mouse over the LDAP configuration in question. At the bottom right-hand corner of the page, you will notice the ID: number for the LDAP configuration.

User-added image


  • You will input that ID: number on the "TestLDAPSchema" page and click "Load LDAP Config" and that will populate all the settings of your LDAP config to the test page.

User-added image

 

  • Next, you will need to populate the filter, you will need to copy the existing filter from the Archer LDAP configuration and past it into the Filter field the "TestLDAPSchema" page. Then hit "Query for Users" or other options as well. The output of the "Query for Users" returns the username and their groups membership plus other attributes. By using the TestLDAPSchema page it helps to find out whether you are able to pull the username and their group membership. For instance, in Archer LDAP Configuration if you are unable to pull usernames and their group membership you can use the TestLDAPSchema page to see if you are getting the same behaviour and if that case then you will go to back to your Windows Administrator check the LDAP server.

User-added image

User-added image

Attachments

    Outcomes