This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.

Determine the correct root (base DN) and user search filter when configuring an identity source for the RSA SecurID Access Cloud Authentication Service

Article Number

000038760

Applies To

RSA Product Set: RSA SecurID Access
RSA Product/Service Type: Cloud

Issue

When adding an identity source to the RSA Cloud Authentication Service, you must specify a root (base DN) value and a user search filter value to define which user records will be synchronized from that Identity Source to the Cloud.
  • The root determines the node in the Identity Source tree which is the starting point from where users will be synchronized.  For example, DC=company, DC=com.
  • The user search filter specifies which user records within the root should be synchronized to the RSA Cloud Authentication Service.  Only synchronized users can use configured authentication methods.  An example user Search Filter is (&(objectCategory=person)(objectClass=user)).
It can sometimes be difficult to determine the optimal root and user search filter combination that retrieves the exact set of users who should be synchronized to the cloud.  Syntax mistakes can easily be made when designing complex search filters, causing unwanted users to be synchronized or some required users to be omitted.  Experimentation is sometimes required to ensure that the search filter is both syntactically correct and retrieves the correct set of users.
 

Task

The root and user search filter fields of an identity source use standard LDAP string representation of search filters.  RSA recommends using any suitable LDAP browser tool to develop and test base DN and user search filter values, instead of trying to synchronize and check in the RSA Cloud Administration Console itself.   The advantages of using an LDAP browser tool are:
  • LDAP browsers more easily allow you to check the results of a search, compared to doing that from the RSA Cloud Administration Console.
  • You can fix incorrect search filters and re-test quickly.
  • User search filters specified for an identity source can use attributes that are not synchronized to the cloud.  With an LDAP browser, you can review all the attributes on records retrieved, which is useful for checking why search results are not as expected.   In the RSA Cloud Administration Console, you cannot view attributes that are not synchronized to the cloud.
  • Some tools will also come with online help that explains base DN and search filter syntax.

Resolution

  1. Define the correct base DN and user search filter values using an LDAP browser.
  2. Copy and paste them directly from the LDAP browser into the corresponding root and user search filter fields of the RSA Cloud Administration Console's Identity Source configuration.
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2021-04-24 03:57 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.