How to check the connectivity and response time of an Identity source for RSA Authentication Manager using ldapsearch
Originally Published: 2016-07-18
Article Number
Applies To
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.1,8.2,8.3
Issue
Resolution
- Open an SSH session to the AM server.
- Run the below command:
# ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountName
If the connectivity is OK , the output of the command should look like:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie=If the credentials are incorrect you will get the below error:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1
If there is a network connectivity error you will get the below error:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The response time of the Identity source can be checked by just pre-pending the "time" command to the "ldapsearch" command as shown below:
# time ldapsearch -LLL -H <DC connection> -x -D <User name> -w <password> -E pr=1000/noprompt -b <User Base DN> "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=<Any User ID>))" SAMAccountName e.g: # time ldapsearch -LLL -H ldap://2k8r2-dc1.2k8r2-vcloud.local:389 -x -D 'administrator@2k8r2-vcloud.local' -w 'pa$$w0rd' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(|(objectClass=User)(objectcategory=person))(SAMAccountName=newuser))" SAMAccountNamethe response time is the highlighted value besides "real" at the end of the output as shown below:
dn: CN=new user,CN=Users,DC=2k8r2-vcloud,DC=local sAMAccountName: newuser # pagedresults: cookie= real 0m0.010s user 0m0.000s sys 0m0.000s
Notes
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate)The workaround is setting the LDAPTLS_REQCERT environmental variable to "never", and then running the "ldapsearch" command as shown below:
# export LDAPTLS_REQCERT=never # time ldapsearch -LLL -H ldaps://2k8r2-dc1.2k8r2-vcloud.local:636 -x -D 'administrator@2k8r2-vcloud.local' -w 'support1!' -E pr=1000/noprompt -b 'cn=Users, dc=2k8r2-vcloud, dc=local' "(&(objectClass=User)(objectcategory=person)(SAMAccountName=newuser))" SAMAccountName
Related Articles
RSA Authentication Manager 8.x Security Vulnerabilities for OpenSSL - False Positive Number of Views How to check for available SSL/TLS protocols and ciphers for a specific port in RSA Authentication Manager 8.x Number of Views How to check/restart the Webtier services deployed on a Linux machine in RSA Authentication Manager 8.x Number of Views How to check the size of the internal database in RSA Authentication Manager 8.x Number of Views How to Check Local File System Disk Space in RSA Governance & Lifecycle Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA Authentication Manager 8.9 Release Notes (January 2026) Disabling weak ciphers using port 1813 in RSA Authentication Manager 8.3 patch 1
Don't see what you're looking for?
