Guide to Microsoft Active Directory LDAP synchronization with RSA Authentication Manager
1. Determine Your BaseDN:
Open Active Directory Users and Computers from Administrator tools. Under the machine name is a plus with a suffix next to it, e.g. northamerica.rsasecurity.com. This would make the BaseDN dc=northamerica,dc=rsasecurity,dc=com. If you wanted to start your search from the Users container, your BaseDN would be cn=users,dc=northamerica,dc=rsasecurity,dc=com
2. Understanding the Scope:
Base only restricts the query to the exact record of the baseDN, basically allowing you to sync one record. One Level restricts the query to the baseDN container and will not traverse. All sublevels will search recursively beneath the baseDN's container.
3. Creating an LDAP Query Filter:
This accepts RFC compliant LDAP queries. There are many different syntax for this, our implementation is based on the Sun LDAP SDK. Microsoft Active Directory uses objectcategory as an indexed attribute, which means it is very fast to use this in your search. Here are some examples:
Query all users in A.D. objectcategory=person
Query records of users and members of the Administrators group: (&(objectcategory=person)(memberof=CN=Administrators,CN=Builtin,DC=northamerica,DC=rsa,DC=net))
4. Binding DN:
This is the user that will be used to connect and run the query against A.D. Here are some examples:
email@example.com or cn=administrator,cn=users,dc=northamerica,dc=rsasecurity,dc=com
1. Active Directory has a default limit to the amount of records it is willing to return:
- Windows 2000 has a 1000 record limit
- Windows 2003 has a 1500 record limit
If you are trying to manage more than the above number of users, you have 2 options:
a. Split your query into multiple queries, where each one only retrieves usernames that begin with a certain letter
b. Use the ntdsutil to change the limit in Active Directory
2. RSA can not traverse referrals ( If the A.D. doesn't hold all the users and refers the query to check additional servers). You can make the query force the server to traverse the whole Forest by changing your query port from 389 to 3268.
3. Performance / Speed of query
- Use a more specific BaseDN to search less folders
- Use more attributes to match in your query to limit the amount of records searched
- Use port 3268, which is given a higher priority from A.D. than port 389.
4. Number of users doesn't seem to be right
For Authentication Manager to import a user record they must have a sn and samaccountname, if they are missing these attributes they will be omitted.
A useful tool for building queries is the Sun LDAP SDK which includes a utility ldapsearch. This utility is installed automatically installed on many Solaris 9 or Solaris 10 machines. This utility allows you to test your query, without actually making any changes to the Authentication Manager.
Examples of usage of ldapsearch:
ldapsearch -h domaincontroller.northamerica.rsasecurity.com -D firstname.lastname@example.org -w password -b "dc=northamerica,dc=rsasecurity,dc=com" -s sub (objectcategory=person) Description of what the above command line means -h = hostname -D = BindingDN -w = BindingDN user's password -b = BaseDN (see above on how to determine BaseDN) -s sub (all sublevels) (objectcategory=person) = the query filter
The above ldapsearch will return every record for every user, you can add an additional filter to strip what you are looking for. For instance, to see only relevant fields like sn, givenname, and samaccountname, run the following:
ldapsearch -h domaincontroller.northamerica.rsasecurity.com -D email@example.com -w password -b "dc=northamerica,dc=rsasecurity,dc=com" -s sub (objectcategory=person) sn givenname samaccountname
This would return these records for all users:
dn: sn: givenname: samaccountname:
To construct a query and retrieve all users that are in a group that the user jdoe is in, but if you don't know the memberof syntax, run the following command: