The sdaceldap utility is located in the c:\ace\utils\toolkit directory on Windows and the /ace/utils/toolkit directory on UNIX systems. It compares an LDAP directory with the RSA Authentication Manager database and generates a comma-separated values (.csv) file with user information that you can import into the database through the Manage LDAP Users menu item. (You can choose to import only the information that the user is an LDAP user, or to add certain user extension information such as an e-mail address or telephone extension.)
You can run this utility on a Primary or a Replica, but you must import the file on a Primary.
Two options determine the contents of the file generated by the sdaceldap utility:
import and compare. The import option generates a file that lists the following:
• Users whose default logins are found in the LDAP directory, but not in the RSA Authentication Manager database. Importing this file into the database creates a user record for each user in which he or she is designated an LDAP user.
• Users whose default logins are found in both locations, but whose records in the Authentication Manager database do not identify them as LDAP users. You can handle these “conflicting” users individually or globally. Your global options are as follows:
– Do not import them into the RSA Authentication Manager database.
– Import them by overwriting everything in their current user records.
– Import them by leaving current user data untouched and updating only the LDAP User field (plus any extension data fields you may have specified for the import).
The compare option generates a file that lists users who have been designated as LDAP users in the database, but whose entries in the LDAP directory have changed in some way—either some information in the LDAP entry for that user has changed, or the entry has been deleted. Only users whose records in the RSA Authentication Manager database identify them as LDAP users are compared with the users in the LDAP directory
RSA Authentication Manager 6.1 Administrator’s Guide
112 6: Registering Users for Authentication
The first time you run the utility, use the import option. (The compare option is ineffective until the RSA Authentication Manager database contains some LDAP users.) After the first time, choose the import or the compare option according to your purpose:
• To add to the Authentication Manager database users whose entries in the LDAP directory are new since your last import operation, choose import.
• To update the records of users who were previously imported from the LDAP directory, choose compare.
When you import the .csv file created through this option, the user extension information you originally imported from the LDAP entry is updated if it has changed. For users who are no longer in the LDAP directory, you can choose (for individual users or for all users in this category) to remove the LDAP user designation from the user record in the Authentication Manager database or to delete the record completely.
Syntax
The following table describes the options and arguments for the sdaceldap utility.
Option Argument Description
-b basedn Specifies a base level LDAP directory containing a distinguished user name for comparison.
-D binddn A distinguished user name located in a specified LDAP server directory. This must be the name of an authorized
administrator. With Microsoft Active Directory, you must use the -D option with a user recognized by the Windows domain.
Otherwise 0 errors, 0 users are returned.
-d import compare
Compares entries in the Authentication Manager database with entries from a corresponding LDAP directory, and generates an output file.
• The import option generates a file that contains a list of users who have entries in the LDAP directory, but do not have user records in the RSA Authentication Manager database.
• The compare option generates a file that contains a list of users that have been designated as LDAP users in the RSA Authentication Manager database, but whose entries in the LDAP directory have changed in some way.
-h hostname or IP Address
The LDAP server name or IP address.
6: Registering Users for Authentication 113 -m mapfile The map file required during comparison that is used to map the
LDAP directory entries with the RSA Authentication Manager database fields. RSA Security provides map files for the following LDAP servers:
Sun ONE Directory Server (sunone.map) Novell NDS eDirectory (novell.map) Microsoft Active Directory (active.map) -o filename The name of the CSV output file.
-P pathname The pathname to a certificate database containing certificates for use with an SSL connection.
-p ldap port The TCP port number used by sdaceldap to connect to an LDAP directory server. The default is 389.
-s base
one sub
Specifies the levels of the LDAP directory that you want to search:
base – search the base DN
one – search one level below the base sub – search all levels below the base
-w password Specifies the password to be used with a distinguished name.
-Z None Specifies an SSL encrypted connection to the LDAP directory. When establishing the SSL connection, you must supply the -P argument to access the certificate database.
Option Argument Description
RSA Authentication Manager 6.1 Administrator’s Guide
114 6: Registering Users for Authentication
Example
The following example creates a file that contains a list of all the users in the LDAP directory who do not have user records in the Authentication Manager database.
This example is run on the AIX platform against a Microsoft Active Directory server, using a Secure Socket Layer (SSL) connection. The certificate from the Microsoft Active Directory server was imported into a Netscape browser, and then the cert7.db and key3.db were copied into the directory path designated by the -P option.
sdaceldap -h active -p 636 -Z -P "/ace/data/ldapjobs/sslcerts"
-D "[email protected]" -w passwd -b "cn=Users,DC=hixville,DC=com"
-d import -m active.map -s sub -o aixact.csv "objectclass=user"
Note: The example constitutes a single command line. In this listing, line breaks are placed to keep options with their arguments.
When this command is run on an RSA Authentication Manager, the command points to an LDAP directory server named active and connects using port number 636. The -Z option indicates that an SSL connection should be used, and that the cert7.db and key3.db files that are needed to make the SSL connection are located in the
/ace/data/ldapjobs/sslcerts directory. The user attempting to connect to the LDAP directory server is [email protected] with the password passwd. The utility searches in all sub (-s sub) levels under the base level cn=Users,DC=hixville,DC=com. The utility uses the map file for a Microsoft Active Directory server (-m active.map) to generate a file named aixact.csv. The filter objectclass=user limits the file to all users in the LDAP directory who do not have user records in the RSA Authentication Manager database.
Note: Filters apply only when importing (using the -d import option). They do not apply when using the -d compare option. For information about supported filters, see your LDAP directory documentation.