How to use ldapsearch command to check if an account has been correlated
search cancel

How to use ldapsearch command to check if an account has been correlated

book

Article ID: 207927

calendar_today

Updated On:

Products

CA Identity Manager

Issue/Introduction

Sometimes we need to run ldapsearch command to check if an account, that has been explored, is correlated to correct Global User. This means we need to find if there is inclusion object related to this account.
What is the correct ldapsearch syntax to do this?

Environment

Release : 14.x
Component : IdentityMinder(Identity Manager)

Resolution

If the account is Active Directory account then run ldapsearch as the following:

ldapsearch -LLL -h <Provisioning Directory hostname> -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W -b "eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -s sub "(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTSubordinateClassEntry=*<account name>*))"

If the account is DYN account run then run ldapsearch as the following:

ldapsearch -LLL -h <Provisioning Directory hostname> -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -s sub "(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTSubordinateClassEntry=*<account name>*))"

For example:

I search for an AD account.

<Provisioning Directory hostname>: provdir01
<account name>: test user

So I run

ldapsearch -LLL -h provdir01 -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W -b "eTSubordinateClass=eTADSAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -s sub "(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTSubordinateClassEntry=*test user*))"

I search for an UNIX v2 DYN account.

<Provisioning Directory hostname>: provdir01
<account name>: config

So I run

ldapsearch -LLL -h provdir01 -p 20391 -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -W -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -s sub "(&(objectClass=eTInclusionObject)(eTRelationship=USERACCOUNT)(eTSubordinateClassEntry=*config*))"

The command will prompt password to access Provisioning Directory. On vApp you should key in the Master Password.

In above case, the ldapsearch results an inclusion object. This means the account is correlated to a Global User. ETSuperiorClassEntry shows the DN of the Global User.
If the ldapsearch doesn't yield any result then it means the account is not correlated.

Powered by Wolken Software