Environment
NetIQ Access Governance Suite
Situation
Resolution
Windows server releases provide 2 builtin LDAP query tools. These (non-Java based) tools can be used to verify that the LDAP query yields the desired resultset. If not, then these tools can be used to build the correct query.
A) AD admin console -
http://blogs.msdn.com/b/muaddib/archive/2006/10/24/active-directory-ldap-searches.aspx
A feature in Windows Server Active Directory is the admin console's ability to create saved queries. The tool binds as an "admin" at the domain level. While the GUI covers simple queries, the "Custom Search" accepts LDAP filters. With Windows Server 2007 (sp2):
start "Active Directory Users and Computers"
right click on "Saved Queries"
mouseover "New", select "Query"
enter value for "Name" field in "New Query" popup window
click "Define Query"
select "Custom Search" from "Find:" pulldown list
select "Advanced" tab
enter LDAP query (e.g. UAC's PWD Never Expires):
(memberOf=CN=Support,OU=Security Groups,OU=!Common,dc=corp,dc=internal,dc=com)
B) LDP tool - http://support.microsoft.com/?id=255602
LDP is a Lightweight Directory Access Protocol (LDAP) client utility that is included with Microsoft Windows. The LDP tool is in the Windows Support Tools. If this tool is not installed, then install it from the Microsoft
Windows CD-ROM. The file path is: Support\Tools\Setup.exe.
run "LDP"
click "Connection"
enter Server name
localhost
click OK
(note server DSE info in log window)
click "Connection" (again)
click "Bind"
select "Bind with credentials"
enter values for "User","Password" fields
cn=Sailpoint, ou=Accounts, ou=!Common, dc=corp, dc=internal, dc=com
click "OK"
(note authenicated msg in log window)
click "Browse"
click "Search"
enter value for "Base DN:" field (or select from pulldown menu)
dc=internal, dc=com
enter value for "Filter:" field (or select from pulldown menu)
(memberOf=CN=Support,OU=Security Groups,OU=!Common,dc=corp,dc=internal,dc=com)
select "Subtree" for Scope
click "Run"
(note query results in log window)