On a Windows client machine, you can download the tool "Ad Explorer"- https://learn.microsoft.com/en-us/sysinternals/downloads/adexplorer
You can also check the user/groups from the connected user from the client, using a cmd prompt as adm.
net user /domain username
On the Active Directory host, there is a utility called "ldp.exe" which exists by default, and the connection can be tested by using the following:
1. Run the "ldp.exe" command
2. From the "Connection->Connect" menu, enter the LDAP hostname and port "389"
3. From the "Connection->Bind" menu, enter the username and password just as in the LDAP configuration in the CCM.
4. From the "Browse->Search" menu, enter the name of the user who tries to log in and select the "Subtree" as the scope.
5. Check that the bind is working and the search returns related objects of the user.
Also, if receiving errors similar to "user not defined" and the user cannot log in, a simple test using an external utility can be performed to find where the problem is.
The "ldapsearch" command exists by default on most Linux variants and can also be installed on other Unix operating systems, which require downloading the OpenLDAP package (free) - http://www.openldap.org/software/download/
Here is an example of searching for a user "CN=ken,CN=Users,DC=THIEM011-DC,DC=local" and see to which groups it belongs to -
ldapsearch -b DC=dcname,DC=local -D CN=Admin,CN=Users,DC=dcname,DC=local -w "password" -x -h ldaps.lirr.org -p 636 -v -s sub "(&(member=CN=ken,CN=Users,DC=dcname,DC=local)(|(objectclass=group)(objectClass=group)))" cn
This above command will also check that the binding and the search base for the user are defined correctly and this is done from the LDAP external utility so we can see if the problem is in the LDAP configuration.
The above command should be modified before executing the correct values you use in your LDAP server.
Flags in the command:
The -b flag is for base DN
The -D flag is for bind DN
The -w flag is for the bind password
The -h flag is for the LDAP host
The -p flag is for the LDAP port (636 if using SSL and 389 if not using SSL)
Predominantly errors are either caused by an invalid LDAP search user being defined its password being wrong or the search base being wrongly defined.
When SSL is implemented on the LDAP server side, the following ldapsearch syntax must be used :
LDAP Directory Search User: uid=SEARCHUSER,ou=Applis,dc=dcname
LDAP Directory Search Password: <password>
Transmission Protocol: SSL
LDAP Directory Server Type: GUARDIAN
Server Hostname and Port: SERVER.fr 636
Server Directory Search Base: ou=people,dc=dcname
EM/LDAP user: uid=EMUSER,ou=People,dc=dcname
command LDAP ( validated by customer )
ldapsearch -b "ou=people,dc=dcname" -D "uid=SEARCHUSER,ou=Applis,dc=dcname"
-w "<password>" -x -H ldaps://SERVER.fr:636 -v -s
sub "(&(uniqueMember=uid=EMUSER,ou=People,dc=dcname)(objectClass=groupOfUniqueNames))" cn
In some environments, the following 2 commands could help - the first one to get the detailed path for the LDAP user and the second one get the user member list of the LDAP group which is used for group mapping(in EM Authorization of role or EM group):
ldapsearch -b "DC=mydomain,DC=local" -D "CN=searchusr,OU=Secured Accounts,DC=mydomain,DC=local" -x -H ldaps://ldap.domainserver.local:636 "CN=myldapusr*" -w <searchusr_password> -s sub "(objectclass=*)" ###to get user details
ldapsearch -b "DC=mydomain,DC=local" -D "CN=searchusr,OU=Secured Accounts,DC=dev,DC=local" -x -H ldaps://ldap.domainserver.local:636 "CN=<LDAP_GroupName_in_EM_RoleGroup>*" -w <searchusr_password> ###to get LDAP group details with member info
Please note that the error "User is not authorized in EM" is due to not finding the LDAP user under the LDAP group mapped in EM Role/Group; even if the local username same as the LDAP username is created with the External Login setting. Defining both individual usernames the same as the LDAP username using external authentication and LDAP group mapping with EM Role/Group is not recommended. For more info, please see:
https://documents.bmc.com/supportu/9.0.21.200/en-US/Documentation/Authentication.htm?Highlight=ldap