Test Connections to LDAP Directories

This article contains the following topics:
casm1401
This article contains the following topics:
Use the pdm_ldap_test command-line utility to test the connection to an LDAP directory, ensure that the search options are correctly configured, and test the TLS configuration.
By default, pdm_ldap_test uses the parameter settings that are entered in the $NX_ROOT/NX.env file when you install, edit, or uninstall LDAP options. To override the defaults, you can specify parameters at the pdm_ldap_test command line.
To see the available parameters for this command, enter the following command:
pdm_ldap_test -h
On UNIX, the LIBPATH must be set before running several CA SDM utilities. Use
 pdm_task
 to set the LIBPATH before running a utility. For example, input "pdm_task pdm_clean_attachments ...".
Verify Connection to LDAP Server
To verify the connection to the LDAP server, run pdm_ldap_test without parameters:
pdm_ldap_test
Successful Connection to LDAP Server
If the connection is successful, you receive output similar to the following:
Starting pdm_ldap_test... LDAP service type=active directory Service Desk platform=windows Using search base=DC=mycontroller,DC=xyz,DC=com Using filter=(&(objectCategory=person)) ldap_init(myserver.mycontroller.xyz.com,389): (Success) ldap_bind_s(Administrator) (Success) LDAP API Verion 3
View Search Parameters
To verify that the search parameters are correctly configured, run pdm_ldap_test without parameters:
pdm_ldap_test
Successful Search
When your search is successful, you see output similar to the following:
DN: CN=John A. Smith,CN=Users,DC=COMPUTERTEST c(2)(0): US displayName(14)(0): John A. Smith mail(14)(0): account02@mycompany.com givenName(4)(0): John initials(1)(0): a distinguishedName(38)(0): CN=John a. Smith,CN=Users,DC=COMPUTERTEST objectGUID(3)(0): 314738 pager(12)(0): ###-111-1111 postalCode(5)(0): 11111 SAMAccountName(7)(0): account02 sn(6)(0): Smith telephoneNumber(12)(0): ###-342-6265 userPrincipalName(16)(0): account02@COMPUTERTEST DN: CN=Mike Johnson,CN=Users,DC=COMPUTERTEST displayName(10)(0): Mike Johnson givenName(4)(0): Mike distinguishedName(34)(0): CN=Mike Johnson,CN=Users,DC=COMPUTERTEST objectGUID(12)(0): 312328 SAMAccountName(7)(0): account03 sn(5)(0): Johnson userPrincipalName(16)(0): account03@COMPUTERTEST
Determine which Attribute Names have Values
Use the -a “*” parameter and the -f parameter with the pdm_ldap_test command to determine which attributes are defined for LDAP User or Group records. This test is useful for seeing if there are LDAP attributes that you want to map to Contact attributes, and to verify that a particular attribute has a value and should be available when creating or updating Contact records.
The following example shows output from an iPlanet directory:
pdm_ldap_test -a "*" -f sn=Account_1000001 2 LDAP records found... DN: cn=Account_1000001,ou=200K_Plus,o=SmartLabs sn(15)(0): Account_1000001 objectClass(13)(0): inetOrgPerson objectClass(20)(1): organizationalPerson objectClass(6)(2): Person objectClass(18)(3): ndsLoginProperties objectClass(3)(4): Top DN: cn=Account_1000001,ou=2_Plus,o=SmartLabs mail(28)(0): ThisIsTheMailingAddressField uid(13)(0): Login_1000001 givenName(17)(0): GivenNameOfPerson sn(15)(0): Account_1000001 objectClass(13)(0): inetOrgPerson objectClass(20)(1): organizationalPerson objectClass(6)(2): Person objectClass(18)(3): ndsLoginProperties objectClass(3)(4): Top
The following example shows output from Active Directory:
Ldap_test - a "*" - f (&(sn=Brown)(initials=A))" 1 LDAP records found... DN: CN=John A. Smith,CN=Users,DC=mycontroller,DC=xyz,DC=com objectClass(3)(0): top objectClass(6)(1): person objectClass(20)(2): organizationalPerson objectClass(4)(3): user cn(16)(0): John A. Smith sn(5)(0): Brown givenName(7)(0): John initials(1)(0): A distinguishedName(55)(0): CN=John A. Smith,CN=Users,DC=mycontroller,DC=xyz,DC=com displayName(16)(0): John A. Smith memberOf(52)(0): CN=Domain Admins,CN=Users,DC=mycontroller,DC=xyz,DC=com sAMAccountName(7)(0): smijo04 userPrincipalName(25)(0): smijo04@mydomain.xyz.com objectCategory(63)(0): CN=Person,CN=Schema,CN=Configuration,DC=mycontroller,DC=xyz,DC=com
Narrow Your Search
Use the -f parameter with the pdm_ldap_test command to specify a filter to be added to the base filter for narrowing the search criteria. You must use appropriate LDAP syntax and LDAP schema attribute names in your filter. Surround your filter with double quotation marks and use parenthesis to clarify the order of operator precedence.
For example, use the following command to search for all records where sn=Account_10001:
pdm_ldap_test - f "(sn=Account_10001)"
The pdm_ldap_test utility supports the following equality operators:
Equality Operator
Description
=
equal to
<=
less than or equal to
>=
greater than or equal to
~=
like
The pdm_ldap_test utility supports the following Boolean operators:
Boolean Operator
Description
&
AND
|
OR
!
NOT
The AND and OR operators affect each set of parenthesis () in the search filter. The NOT only affects the first set of parenthesis. Always place these operators
before
the search filters to be operated on, rather than between them. They can be applied to any number of filters, as shown in the following examples:
"(&(sn=Brown)(initials=A)) " "(|(sn=Brown)(sn=Smith))" "(!sn=Brown)"