We're running a Policy Server and it fails to find a user from a
nested group when the nested group is configure in a Policy. How can
we see if the LDAP User Store has the user defined in the given nested
group, and that group is reachable from the Policy Server ?
Policy Server all versions;
Open a console on the Policy Server machine and run the following
command (Linux sample) :
# ldapsearch "-b DC=users,DC=training,DC=com" "-D \
CN=myadmin,DC=users,DC=training,DC=com" -w password \
-v -h 10.0.0.1 -p 636 -P /opt/CA/siteminder/certs \
"(member:1.2.840.113556.1.4.1941:=CN=jsmith,OU=mygroup1,OU=mygroup2,DC=users,DC=training,DC=com)" -t
gather all the files you'll find in the tmp folder. One of them
should report the user "jsmith".
From the command above, you obviously change the value according to
your environment :
Base DN : -b DC=users,DC=training,DC=com
The Admin you use to connect the LDAP Store : -D CN=myadmin,DC=users,DC=training,DC=com
The Admin's password : -w password
The LDAP User Store IP : -h 10.0.0.1
The LDAP User Store Port : -p 636
The db where certificates for the LDAP User Store : -P /opt/CA/siteminder/certs
The User you're looking for : CN=jsmith,OU=mygroup1,OU=mygroup2,DC=users,DC=training,DC=com