Guide to Microsoft Active Directory LDAP synchronization with RSA Authentication Manager
Originally Published: 2005-11-09
Article Number
Applies To
Lightweight Directory Access Protocol (LDAP)
Issue
Resolution
Open Active Directory Users and Computers from Administrator tools. Under the machine name is a plus with a suffix next to it, e.g. northamerica.rsasecurity.com. This would make the BaseDN dc=northamerica,dc=rsasecurity,dc=com. If you wanted to start your search from the Users container, your BaseDN would be cn=users,dc=northamerica,dc=rsasecurity,dc=com
2. Understanding the Scope:
Base only restricts the query to the exact record of the baseDN, basically allowing you to sync one record. One Level restricts the query to the baseDN container and will not traverse. All sublevels will search recursively beneath the baseDN's container.
3. Creating an LDAP Query Filter:
This accepts RFC compliant LDAP queries. There are many different syntax for this, our implementation is based on the Sun LDAP SDK. Microsoft Active Directory uses objectcategory as an indexed attribute, which means it is very fast to use this in your search. Here are some examples:
Query all users in A.D.
objectcategory=person
Query records of users and members of the Administrators group:
(&(objectcategory=person)(memberof=CN=Administrators,CN=Builtin,DC=northamerica,DC=rsa,DC=net))
4. Binding DN:
This is the user that will be used to connect and run the query against A.D. Here are some examples:
administrator@northamerica.rsasecurity.com or
cn=administrator,cn=users,dc=northamerica,dc=rsasecurity,dc=com
Troubleshooting:
1. Active Directory has a default limit to the amount of records it is willing to return:
- Windows 2000 has a 1000 record limit
- Windows 2003 has a 1500 record limit
If you are trying to manage more than the above number of users, you have 2 options:
a. Split your query into multiple queries, where each one only retrieves usernames that begin with a certain letter
b. Use the ntdsutil to change the limit in Active Directory
Both of the above solutions are covered in more depth How to query large LDAP databases.
2. RSA can not traverse referrals ( If the A.D. doesn't hold all the users and refers the query to check additional servers). You can make the query force the server to traverse the whole Forest by changing your query port from 389 to 3268.
3. Performance / Speed of query
- Use a more specific BaseDN to search less folders
- Use more attributes to match in your query to limit the amount of records searched
- Use port 3268, which is given a higher priority from A.D. than port 389.
4. Number of users doesn't seem to be right
For Authentication Manager to import a user record they must have a sn and samaccountname, if they are missing these attributes they will be omitted.
Query Building:
A useful tool for building queries is the Sun LDAP SDK which includes a utility ldapsearch. This utility is installed automatically installed on many Solaris 9 or Solaris 10 machines.
This utility allows you to test your query, without actually making any changes to the Authentication Manager.
Examples of usage of ldapsearch:
ldapsearch -h domaincontroller.northamerica.rsasecurity.com -D administrator@northamerica.rsasecurity.com -w password -b "dc=northamerica,dc=rsasecurity,dc=com" -s sub (objectcategory=person)
Description of what the above command line means
-h = hostname
-D = BindingDN
-w = BindingDN user's password
-b = BaseDN (see above on how to determine BaseDN)
-s sub (all sublevels)
(objectcategory=person) = the query filter
The above ldapsearch will return every record for every user, you can add an additional filter to strip what you are looking for. For instance, to see only relevant fields like sn, givenname, and samaccountname, run the following:
ldapsearch -h domaincontroller.northamerica.rsasecurity.com -D administrator@northamerica.rsasecurity.com -w password -b "dc=northamerica,dc=rsasecurity,dc=com" -s sub (objectcategory=person) sn givenname samaccountname
This would return these records for all users:
dn:
sn:
givenname:
samaccountname:
To construct a query and retrieve all users that are in a group that the user jdoe is in, but if you don't know the memberof syntax, run the following command:
ldapsearch -h domaincontroller.northamerica.rsasecurity.com -D administrator@northamerica.rsasecurity.com -w password -b "dc=northamerica,dc=rsasecurity,dc=com" -s sub (samaccountname) memberof
This would return a memberof line for each group that jdoe is a member of.
Related Articles
Guide to Microsoft Active Directory LDAP synchronization with RSA Authentication Manager Number of Views Enabling Secure LDAP (LDAPS) between an RSA Data Loss Prevention Enterprise Manager server and an LDAP server Number of Views Certificate not verified error when changing Active Directory identity source from LDAP to LDAPS in RSA Authentication Man… Number of Views How to implement SAML SSO Authentication with Microsoft Azure Active Directory and RSA Identity Governance & Lifecycle Number of Views How to create an external identity source to Active Directory in RSA Authentication Manager 8.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
Don't see what you're looking for?
