How to check the connectivity and response time of an Identity source for RSA Authentication Manager using ldapsearch
Originally Published: 2016-07-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1,8.2,8.3
Issue
Resolution
- Open an SSH session to the AM server.
- Run the below command:
# ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName
If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie=If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # time ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountNamethe response time is the highlighted value besides "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie= real 0m0.010s user 0m0.000s sys 0m0.000s
Notes
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
# export LDAPTLS_REQCERT=never # time ldapsearch -LLL -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName
Related Articles
RSA SecurID 3.0 Software Token Quick Start Guide (Italian) Number of Views RSA Authenticator 4.5.3 for iOS and Android Quick Start Guide (Italian) Number of Views How to check/restart the Webtier services deployed on a Linux machine in RSA Authentication Manager 8.x Number of Views RSA MFA Agent 3.0 for Microsoft AD FS Group Policy Object Template Guide (Italian) Number of Views RSA SecurID Authenticator 4.1 for iOS and Android Quick Start Guide (Italian) Number of Views
Trending Articles
RSA Authentication Manager 8.9 Release Notes (January 2026) RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA-2026-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Downloading RSA Authentication Manager license files or RSA Software token seed records RSA MFA Agent 2.5 for Microsoft Windows Installation and Administration Guide
Don't see what you're looking for?
