Troubleshooting users and user groups search issues
Verify or test search users and groups by using the ldapsearch
command tool.
Search users
Use the following ldapsearch
command:
ldapsearch -x -l <TIME_LIMIT> -z <SIZE_LIMIT> -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -w <LDAP_BINDPASSWORD> -s sub "<search query>"
See the following definitions:
<LDAP_URL>
is the Lightweight Directory Access Protocol (LDAP) server URL.<LDAP_BASEDN>
is the LDAP Base DN.<LDAP_BINDDN>
is the LDAP Bind DN.<LDAP_BINDPASSWORD>
is the LDAP Bind DN password.<TIME_LIMIT>
is the time limit in seconds for the search. Default value is 5 seconds.<SIZE_LIMIT>
is the size limit for search. Default value is 50 entries.
In your product, the search string is based on the cn
and User ID map
attributes that are configured in the LDAP connection user filters.
For example, consider the following LDAP user filters configuration:
User filter: (&(uid=%v)(objectclass=person))
User ID map: *:uid
For the example configuration, following is the search query:
(|(&(cn=*<searchstring>*)(objectclass=person))(&(uid=*<searchstring>*)(objectclass=person)))
In the search query, user name or user ID value is the <searchstring>
. For example, John
or robbie
.
Following is an example ldapsearch
command:
ldapsearch -x -l 5 -z 50 -H "ldap://X.X.X.X:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w 'password' -s sub "(|(&(cn=*user*)(objectclass=person))(&(uid=*user*)(objectclass=person)))"
Here, the <searchstring>
is user
.
Following is a sample output:
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> with scope subtree
# filter: (|(&(cn=*user*)(objectclass=person))(&(uid=*user*)(objectclass=person)))
# requesting: ALL
#
# user1, Users, abc.com
dn: uid=user1,ou=Users,dc=abc,dc=com
cn: User One
objectClass: inetOrgPerson
objectClass: person
objectClass: top
sn: One
uid: user1
userPassword:: dXNlcjE=
# user2, Users, abc.com
dn: uid=user2,ou=Users,dc=abc,dc=com
cn: User Two
objectClass: inetOrgPerson
objectClass: person
objectClass: top
sn: Two
uid: user2
userPassword:: dXNlcjI=
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Search groups
Use the following ldapsearch
command:
ldapsearch -x -l <TIME_LIMIT> -z <SIZE_LIMIT> -H <LDAP_URL> -b <LDAP_BASEDN> -D <LDAP_BINDDN> -w <LDAP_BINDPASSWORD> -s sub "<search query>"
See the following list of definitions:
<LDAP_URL>
is the LDAP server URL.<LDAP_BASEDN>
is the LDAP Base DN.<LDAP_BINDDN>
is the LDAP Bind DN.<LDAP_BINDPASSWORD>
is the LDAP Bind DN password.<TIME_LIMIT>
is the time limit in seconds for the search. Default value is 5 seconds.<SIZE_LIMIT>
is the size limit for search. Default value is 50 entries.
In your product, the search string is based on the cn
and Group ID map
attributes that are configured in the LDAP connection group filters.
For example, consider the following LDAP group filters configuration:
Group filter: (&(cn=%v)(objectclass=groupOfUniqueNames))
Group ID map: *:cn
For the example configuration, following is the search query:
(&(cn=*<searchstring>*)(objectclass=groupOfUniqueNames))
In the search query, group name value is the <searchstring>
. For example, security
or administrators
.
If the Group ID map
attribute is different than cn
, for example gid
, then the following search query can be used:
(|(&(cn=*<searchstring>*)(objectclass=groupOfUniqueNames))(&(gid=*<searchstring>*)(objectclass=groupOfUniqueNames)))
Here, the group name or gid
value is the <searchstring>
.
Following is an example ldapsearch
command:
ldapsearch -x -l 50 -z 100 -H "ldap://X.X.X.X:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w 'password' -s sub "(&(cn=*gr*)(objectclass=groupOfUniqueNames))"
Here, the <searchstring>
is gr
.
Following is a sample output:
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> with scope subtree
# filter: (&(cn=*gr*)(objectclass=groupOfUniqueNames))
# requesting: ALL
#
# group1, Groups, abc.com
dn: cn=group1,ou=Groups,dc=abc,dc=com
cn: group1
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: cn=group2,ou=Groups,dc=abc,dc=com
uniqueMember: uid=user1,ou=Users,dc=abc,dc=com
# group2, Groups, abc.com
dn: cn=group2,ou=Groups,dc=abc,dc=com
cn: group2
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=user2,ou=Users,dc=abc,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Retrieve users from an LDAP group
Use the following ldapsearch
command:
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub "(cn=<GROUP_NAME>)"
See the following list of definition:
<LDAP_URL>
is the LDAP server URL.<LDAP_BASEDN>
is the LDAP Base DN.<LDAP_BINDDN>
is the LDAP Bind DN.<LDAP_BINDPASSWORD>
is the LDAP Bind DN password.<GROUP_NAME>
is the group name.
Consider the following example command:
ldapsearch -x -H "ldap://X.X.X.X:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w 'password' -s sub "(cn=group2)"
Following is a sample output:
# extended LDIF
#
# LDAPv3
# base <dc=abc,dc=com> with scope subtree
# filter: (cn=group2)
# requesting: ALL
#
# group2, Groups, abc.com
dn: cn=group2,ou=Groups,dc=abc,dc=com
cn: group2
objectClass: groupOfUniqueNames
objectClass: top
uniqueMember: uid=user2,ou=Users,dc=abc,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1