Steps to use the LDP.EXE tool to confirm if the SecureAuth service account has proper permissions to Read/Write a particular attribute.

Follow
    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Hybrid
  • On Premises
  • Version Affected:  All

    Description:  

    This document should help you to use the LDP.EXE tool to confirm if the SecureAuth service account has proper permissions to Read/Write a particular attribute.

     

    Resolution:  

    Usage of LDP.EXE tool to confirm if the SecureAuth service account has proper permissions to Read/Write a particular attribute.

     

    Step 1 – Binding the service account to AD

     

    In SecureAuth Appliance open ldp.exe – by typing the same in the “RUN” dialog box

    mceclip0.png

    The below screen should appear

    mceclip1.png

    Click – Connection and select BIND

    mceclip2.png

    Below dialog box should appear

    mceclip3.png

    Use the same service account and password provided in the Data tab of Impacted SecureAuth Realm.

    In domain provide the AD server IP address or Domain name

    mceclip4.png

     

    Click OK –

    You will see at the bottom – Authenticated as dn:’sa-srv’ (sa-srv = Service Account Name)

             IF not – confirm if the service account password is correct.

             IF yes – we have a bind connection with AD using the SA service account

     

    STEP 2 – To find the full DN of the affected user id for which the attribute is not getting populated.

                              = click BROWSE and select search

    mceclip5.png

    The below screen should appear

    mceclip6.png

    In the BASE DN – type the FQDN AD – it same as in the DATA tab’s data store connection

    mceclip7.png

    In filter: type samaccountname=abc (it’s the username for which you are checking the permission of Service Account)

    Select – Subtree

    Click run

    You will find the DN of the affected user in the search result

    mceclip8.png

    COPY the same

    Then

    Click view> select tree

    mceclip9.png

    The below screen should appear

    mceclip10.png

    Paste the DN in it.

    And click Ok

    It will show all the attributes that a service account is able to read for a user’s account

    mceclip11.png

    The desired attribute which you are looking for must be in the list, if it’s not that means the service account is unable to read the same.

     

    STEP 3 – to check If the service account has Read/Write permissions on the particular attribute

    Click BROWSE and select modify

    mceclip12.png

    The below screen should appear

    mceclip13.png

    IN DN – type or paste the same value found in STEP 2.

    Attribute – OtherMobile

    Value – (type a value of your choice)

    Click “ENTER”

    Then click “run”

    IF not successful you may get an error

    mceclip14.png

    The successful attempt should give you below the message.

    mceclip15.png

    Which means the service account does not have the required permissions?

    In case it succeeds, please check if the value is reflected in the attribute in the AD profile.

     

    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful

    Comments

    0 comments

    Please sign in to leave a comment.