How to test access to Active Directory and LDAP endpoints using 'ldapsearch' in RSA Identity Governance & Lifecycle
2 years ago
Originally Published: 2014-12-19
Article Number
000064962
Applies To
RSA Product Set: RSA Identity Governance & Lifecycle
RSA Version/Condition: All
Platform: SUSE Linux, Red Hat Enterprise Linux (RHEL)
 
Issue
The ldapsearch utility available on SUSE Linux and Red Hat Enterprise Linux (RHEL) systems is a command-line tool that can be useful for testing/trouble-shooting connectivity issues with.RSA Identity Governance & Lifecycle Active Directory/LDAP collectors, connectors and/or authentication sources. The ldapsearch command connects to an LDAP server, authenticates (binds) to the server, and searches and returns records based on filter criteria.
 
Resolution
Supported versions of SUSE Linux and RHEL include the ldapsearch utility. To see a list of options to the ldapsearch command, type ldapsearch with no options at the command line prompt as in the following example:
  
$ ldapsearch
usage: ldapsearch [options] filter [attributes...]
where:
    filter      RFC-1558 compliant LDAP search filter
    attributes  whitespace-separated list of attributes to retrieve
                (if no attribute list is given, all are retrieved)
options:
    -n          show what would be done but don't actually search
    -v          run in verbose mode (diagnostics to standard output)
    -t          write values to files in /tmp
    -u          include User Friendly entry names in the output
    -A          retrieve attribute names only (no values)
    -B          do not suppress printing of non-ASCII values
    -L          print entries in LDIF format (-B is implied)
    -X          print entries in XML format
    -R          do not automatically follow referrals
    -d level    set LDAP debugging level to `level'
    -F sep      print `sep' instead of `=' between attribute names and values
    -S attr     sort the results by attribute `attr'
    -f file     perform sequence of searches listed in `file'
    -b basedn   base dn for search
    -s scope    one of base, one, or sub (search scope)
    -a deref    one of never, always, search, or find (alias dereferencing)
    -l time lim time limit (in seconds) for search
    -z size lim size limit (in entries) for search
    -D binddn   bind dn
    -w passwd   bind passwd (for simple authentication)
    -h host     ldap server
    -p port     port on ldap server
    -W Wallet   Wallet location
    -P Wpasswd  Wallet Password
    -U SSLAuth  SSL Authentication Mode
    -q          prompt for simple bind password
    -Q          prompt for SSL wallet password
    -E charset  Character Set Encoding
    -M          send ManageDsaIT control to server
    -G          send RequiredAttribute control to server
    -C          send connectBy control to server
    -T [-]sort_attr     send serverSort control to server
    -j page_size        send Paging control to server

For more complete documentation on ldapsearch, type the following at the command line prompt:
  
$ man ldapsearch


EXAMPLE

The following example illustrates retrieving a single record from an Active Directory server.

Login to the RSA Identity Governance & Lifecycle server as either the root user or oracle user.
  
$ ldapsearch -h 192.168.26.120 -p 389 -D Administrator@2k8r2-vcloud.local -w <password> -z 1 -b 'ou=us,ou=vcloud users, 
dc=2k8r2-vcloud,dc=local' '(&(objectClass=User) (objectcategory=person))'
CN=Book\, Rita,OU=US,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=Book, Rita
sn=Book
c=US
l=Pittsfield
st=NH
title=Captain
postalCode=03263
telephoneNumber=XXX-999-99
givenName=Radi
distinguishedName=CN=Book\, Rita,OU=US,OU=vcloud Users,DC=2k8r2-vcloud,DC=local
instanceType=4
whenCreated=20191017170713.0Z
whenChanged=20191017170713.0Z
displayName=Book, Rita
uSNCreated=464053
uSNChanged=464057
streetAddress=12 Main Street
name=Book, Rita
objectGUID=NOT ASCII
userAccountControl=66048
badPwdCount=0
codePage=0
countryCode=0
badPasswordTime=0
lastLogoff=0
lastLogon=0
pwdLastSet=130265032330795255
primaryGroupID=513
objectSid=NOT ASCII
accountExpires=9223372036854775807
logonCount=0
sAMAccountName=RBook
sAMAccountType=805306368
userPrincipalName=RBook@2k8r2-vcloud.local
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=2k8r2-vcloud,DC=local
dSCorePropagationData=16010101000000.0Z
mail=Rita.Book@armyspy.com
ldap_search: Sizelimit exceeded
 
where:
 
-h host
ldap server
-p port
port on the ldap server
-D
bind dn
-w passwd
bind passwd (for simple authentication)
-z size lim
size limit (in entries) for search
-b basedn
base dn for search

Related Articles

Trending Articles

Don't see what you're looking for?