Version Affected: All
Description:
This document should help you to use the LDP.EXE tool to confirm if the SecureAuth service account has proper permissions to Read/Write a particular attribute.
Resolution:
Usage of LDP.EXE tool to confirm if the SecureAuth service account has proper permissions to Read/Write a particular attribute.
Step 1 – Binding the service account to AD
In SecureAuth Appliance open ldp.exe – by typing the same in the “RUN” dialog box
The below screen should appear
Click – Connection and select BIND
Below dialog box should appear
Use the same service account and password provided in the Data tab of Impacted SecureAuth Realm.
In domain provide the AD server IP address or Domain name
Click OK –
You will see at the bottom – Authenticated as dn:’sa-srv’ (sa-srv = Service Account Name)
IF not – confirm if the service account password is correct.
IF yes – we have a bind connection with AD using the SA service account
STEP 2 – To find the full DN of the affected user id for which the attribute is not getting populated.
= click BROWSE and select search
The below screen should appear
In the BASE DN – type the FQDN AD – it same as in the DATA tab’s data store connection
In filter: type samaccountname=abc (it’s the username for which you are checking the permission of Service Account)
Select – Subtree
Click run
You will find the DN of the affected user in the search result
COPY the same
Then
Click view> select tree
The below screen should appear
Paste the DN in it.
And click Ok
It will show all the attributes that a service account is able to read for a user’s account
The desired attribute which you are looking for must be in the list, if it’s not that means the service account is unable to read the same.
STEP 3 – to check If the service account has Read/Write permissions on the particular attribute
Click BROWSE and select modify
The below screen should appear
IN DN – type or paste the same value found in STEP 2.
Attribute – OtherMobile
Value – (type a value of your choice)
Click “ENTER”
Then click “run”
IF not successful you may get an error
The successful attempt should give you below the message.
Which means the service account does not have the required permissions?
In case it succeeds, please check if the value is reflected in the attribute in the AD profile.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.