How to check the connectivity and response time of an Identity source for RSA Authentication Manager using ldapsearch
Originally Published: 2016-07-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1,8.2,8.3
Issue
Resolution
- Open an SSH session to the AM server.
- Run the below command:
# ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName
If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie=If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # time ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountNamethe response time is the highlighted value besides "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie= real 0m0.010s user 0m0.000s sys 0m0.000s
Notes
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
# export LDAPTLS_REQCERT=never # time ldapsearch -LLL -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName
Related Articles
Connecting to or querying the database using pgSQL in RSA Authentication Manager 8.x Number of Views Reporting Engine service is not running due to reportstatusmanager.h2.db corrupt Number of Views Webtier showing offline after hard shutdown. Error: System fingerprint encrypted key is missing and Failed to reload passw… Number of Views RSA SecurID Hardware Appliance Component Updates Number of Views RSA MFA Agent for Windows will not run due to error "This module is blocked from loading into the Local Security Authority" Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) RSA Release Notes for RSA Authentication Manager 8.8 RSA announces End of Life EOL dates for RSA MyAccessLive Service RSA Authentication Manager 8.9 Administrator's Guide
Don't see what you're looking for?
