How to check the connectivity and response time of an Identity source for RSA Authentication Manager using ldapsearch
Originally Published: 2016-07-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1,8.2,8.3
Issue
Resolution
- Open an SSH session to the AM server.
- Run the below command:
# ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName
If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie=If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # time ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountNamethe response time is the highlighted value besides "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie= real 0m0.010s user 0m0.000s sys 0m0.000s
Notes
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
# export LDAPTLS_REQCERT=never # time ldapsearch -LLL -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName
Related Articles
Connecting to or querying the database using pgSQL in RSA Authentication Manager 8.x Number of Views Reporting Engine service is not running due to reportstatusmanager.h2.db corrupt Number of Views Webtier showing offline after hard shutdown. Error: System fingerprint encrypted key is missing and Failed to reload passw… Number of Views RSA MFA Agent for Windows will not run due to error "This module is blocked from loading into the Local Security Authority" Number of Views How to check local file system disk space usage for RSA Identity Governance & Lifecycle Number of Views
Trending Articles
Downloading RSA Authentication Manager license files or RSA Software token seed records Unable to login to RSA Authentication Manager Security Console as super admin RSA Authentication Manager 8.9 Release Notes (January 2026) How to manipulate imported RSA SecurID Software Token(s) on an iPhone or iPad device Connection fails to Cloud Authentication Service when connecting through a proxy server from RSA Authentication Manager to…
Don't see what you're looking for?
