With any LDAP sync, the two main issues are the Base DN being correct and the LDAP Query filter being syntactically correct and getting you what you want.  If you go to host mode ? user ? LDAP user ? List synchronizations, and you can highlight your job and click [Details], then copy and paste those details in an email so I can test them here.

The base DN is usually just dc=rsa, dc=com, sometimes though it can be   cn=users, dc=rsa, dc=com

If your LDAP database has less than 1000 users the Query filters usually are

objeccategory=person

or

objectcategory=user

or

objectclass=user

or sometimes   samaccountname=*

You could also try just one name, as in samaccountname=jguillette

I did see an error once where AD did not have first and last names, so query did not pull anything in.

LDAP query filters within the LDAP synch job will usually work for RSA if the same query filter worked with an LDAP browser such as Micorsoft?s LDP.  What we can do is take a look at your LDAP synch job (use host mode ? Users ? LDAP Users ? List Synchronizations ? [Details] then copy and paste into your email reply) and test your LDAP Query filter against one of our Active Directory setups to make sure if does not error out.  If your Query Filter works here, then we need to look at your Base DN.  What could be happening is you are looking in the wrong section of the LDAP tree, so no records are found.

If 1000 or more users in AD, you will need to break down into multiple smaller queries, with a Query filter something like these three:

"(&(objectclass=user)(sn>=a*)(sn<=h*))"

"(&(objectclass=user)(sn>=h*)(sn<=n*))"            # retrieve users with names starting in "h" through "m" NOTE: you must overlap the letters!!!!

"(&(objectclass=user)(sn>=n*)(sn<=z*))" 

The error message for this problem is to Check the Base DN.

Look at LDAP job [DETALIS] to troubleshoot.

The following are valid filters as described in RFC 2254:

operator                notation                usage
---------------------------------------------------------
and                "&"                (&(objectclass=user)(sn=Doe))
or                "|"                (|(sn=Doe)(cn=John Doe))
not                "!"                (!(sn=Doe))
equal                "="                (cn=John Doe)
present                "=*"                (sn=*) # this will get all objects that have a surname attribute
equal or greater        ">="                (sn>=J*)
less or equal        "<="                (sn<=J*)

You must always specify a filter when doing a query with sdaceldap.  For Novell eDirectory or iPlanet Directory Server this should be a at least a wildcard filter such as "(sn=*)" to find all objects with a surname (sn) attribute to limit the search to users only, or on Microsoft Active Directory this should be at least "(objectclass=user)".

To put the filter into a query, use the following as an example:
ace/utils/toolkit/sdaceldap -h ldapserver -p 389 -D "administrator@mycompany.com" -w password -b "OU=sales,DC=mycompany,DC=com" -s sub -d import -o output.csv -m active.map "(&(objectclass=user)(sn=Doe))"

NOTE: You must put quotes around your completed LDAP filter so that sdaceldap will parse the query correctly and apply the entire filter. If you are using the GUI for automatic LDAP jobs in ACE/Server 5.1 do not include the surrounding quotes.

Multiple filters can be combined by using parenthesis to group the terms.  The following search will find all objects with objectClass of Person with either a last name of Smith or a first name of John:
(&(objectClass=Person)(|(sn=Smith)(givenname=John)))

A typical query filter should contain a filter that will limit the object type to users (i.e. objectclass=user, sn=*) and may include another filter to reduce the number of records returned or to capture just the members of a particular group of users.

An Active Directory example to capture all dialup users:
(&(objectcategory=user)(msNPAllowDialin=TRUE))

Another filter to capture all members of an Active Directory group:
(&(objectclass=user)(memberOf=CN=SecurID,CN=Users,DC=atslab,DC=securitydynamics,DC=com))

NOTE: If you are using sdldapsync in RSA ACE/Server 5.1, you will need a hot fix to use the or operator "|". Contact RSA Security Customer Support to obtain hot fix tst34482.