How to check the connectivity and response time of an Identity source for RSA Authentication Manager using ldapsearch
Originally Published: 2016-07-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1,8.2,8.3
Issue
Resolution
- Open an SSH session to the AM server.
- Run the below command:
# ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName
If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie=If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # time ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountNamethe response time is the highlighted value besides "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie= real 0m0.010s user 0m0.000s sys 0m0.000s
Notes
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
# export LDAPTLS_REQCERT=never # time ldapsearch -LLL -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName
Related Articles
How to check if NTP is working on your RSA SecurID Access Identity Router Number of Views How to check/restart the Webtier services deployed on a Linux machine in RSA Authentication Manager 8.x Number of Views How to Check Local File System Disk Space in RSA Governance & Lifecycle Number of Views How to check for available SSL/TLS protocols and ciphers for a specific port in RSA Authentication Manager 8.x Number of Views Checking name resolution and port connectivity for Web Tier instance on a supported Red Hat platform - RSA Authentication … Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Quick Setup Guide - Passwordless Authentication in Windows MFA Agent for Active Directory Mandatory Certificate Upgrade Required by 6th October 2025 for RSA MFA Agent for PAM, RSA MFA Agent for Apache, and Third … RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
