Isolating LDAP operational problems from SiteMinder on Unix

Document ID : KB000054507
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The SiteMinder Policy Server is shipped with command line LDAP tools to perform the standard LDAP operations which the Policy Server performs. When troubleshooting to determine whether an LDAP-related problem lies with the Policy Server or with the Directory Server, it helps to perform the request outside of the Policy Sever process.

For instance, if an LDAP search was performed by the Policy Sever which resulted in an LDAP error 85 or 90.

Solution:

Performing this same search from the command line using the same base DN, scope and search filter and bound to the same server and port and as the same administrative user as SiteMinder uses should result in the same error if the problem is not related to SiteMinder logic.

$ ldapsearch -b dc=ca,dc=com uid=\*

The status code returned from the LDAP operation is returned as the command status, which becomes the "$?" variable. To display the status,

$ echo $?
85

(note that the above only works with the ksh and sh shell variants.)

Remember that it is imperative that you do the same exact search as the policy server. (Eg, make sure you have the same binddn, basedn, IP, port, filter, etc.)