How to test whether LDAP is working properly.

(Last modified: 05Feb2003)

This document (10059954) is provided subject to the disclaimer at the end of this document.

goal

How to test whether LDAP is working properly.

fact

Novell LDAP version 3.x

Novell LDAP version 85.x

symptom

LDAP seems to be returning incorrect information (more or less than the rights should be giving)

LDAP doesn't work with an application

fix

This solution assumes that LDAP and SSL have already been configured.  For more information about configuring LDAP for SSL, see Solution 10023209.

This solution is designed to determine whether an LDAP-related problem is coming from a problem with NDS and the LDAP server, or from the client application that is making the LDAP requests.

An excellent resource for the configuration, testing, and development of LDAP for NDS can be found in Novell's LDAP Developer's Guide by Roger G. Harrison, Jim Sermersheim, and Steve Trottier; published 2000 (ISBN 0-7645-4720-8).

CONFIGURE DSTRACE TO VIEW RESULTS:
Before continuing, make sure that DSTRACE is configured to view the back end of LDAP queries.  This will make troubleshooting problems much easier.  These instructions are for NetWare only; for NT and Linux/UNIX, the setup will be slightly different, but the process will be the same.
1)  Type DSTRACE ON at the NetWare console to load the dstrace nlm.  
2)  Type DSTRACE again at the NetWare console to display a list of available options.
3)  Type DSTRACE -ALL to turn off all other filters (you need the latest versions of dstrace for this feature to work; earlier versions may need DSTRACE CLEAR ALL).
4)  Type DSTRACE +LDAP to turn on the LDAP filter which allows display of LDAP messages.
5)  To turn on the tracing to a screen, type DSTRACE SCREEN ON.  To trace to a file, type DSTRACE FILE ON.
6)  Configure which options will be traced by launching ConsoleOne (preferably version 1.2d or later; the snapins are modified in these versions).  Go to the LDAP server object and open the properties.  Switch to the tab labeled "Screen Options."  This tab allows you to choose which items are traced once DSTRACE has been enabled.  For testing purposes, choose Critical Errors, Configuration Processing, Informational Messages, Search Response Summary, and Connection Information.  This will enable DSTRACE to show the queried posed by the client, the authentication mechanism, and the results of the query.
7)  Be aware that DSTrace causes the server to take a big hit in performance; turn it off once testing is completed.

CONFIGURING THE TREE FOR TESTING:
The tests in this solution were performed on a single-server tree running eDirectory 8.5, although that should not be a determining factor in the process.  To match the conditions of the tests below, make sure that admin has full rights to everything, and is a trustee at [Root] with explicit rights to all entry options and all attribute/property options (this is not the default; by default, admin only has supervisor entry rights).  Then make sure that an LDAP proxy user is assigned as a trustee (normally at [Root]) and that it has NO rights.  This is important so that LDAP will not return the whole tree as results when an anonymous query is performed.  If this is not done, then the proxy user will inherit the rights of [Public], which means by default that it will have BROWSE rights to the whole tree.  You can do this by making sure that all the check boxes except for "inheritable" are unchecked, not grey.

An LDAP proxy user is used so that anonymous queries are limited to certain information.  By configuring a proxy user with specific (limited) rights, anonymous queries will return limited information.  Otherwise, anonymous queries will return information according to right of [Public].  An LDAP proxy user is a standard NDS user object (with any name) that has a blank password.  This is critical, since either NO password or ANY password will cause the object to fail when authenticating.  If a proxy user does not have a password, then it has no public/private key pair, and thus will NEVER be able to log in.  If a proxy user has ANY password (any combination of characters), then the object will not be able to log in generically.  Therefore, it needs to have a password that is BLANK; this will allow the object to log in generically without problems.

ABOUT UTILITIES FOR TESTING:
There are multiple products with which to test LDAP.  The Netscape web browser (4.x) is an easy tool to use, and works pretty well for generic queries to test whether the LDAP server is working in general.  However, there are a few known issues with it, and so it might be better to use a different utility that allows for more customization of queries.  The queries in the tests below were all performed with the "ldapsearch" utility from the Netscape SDK.  This is a third-party tool and is not endorsed or supported by Novell.  It can be found in the Netscape LDAP SDK.  Similar utilities can be found elsewhere, including one provided by Novell.  This utility has the same name as the Netscape utility, but a slightly different syntax.  It can be found on the CDROM that accompanies the book mentioned above.

TESTING LDAP:
LDAP queries/actions can be classified by asking two questions: is the query secure (does it use SSL), and is the query authenticated (are you querying anonymously or as a specific user).  The answers to these two questions provide for four types of LDAP queries:

A)  authenticated, non-secure query
B)  unauthenticated, non-secure query (proxy)
C)  authenticated, secure query (SSL)
D)  unauthenticated, secure query (SSL, proxy)

To test LDAP whether the server or the client is causing a problem, it is necessary to try each of these queries with a utility that is known to work properly.  If queries for each of the above types work with this utility but not with another application, then the problem must lie within the application itself and not the NDS LDAP server.  The NDS LDAP server is based on open LDAP standards, and thus will work with any LDAP client that is correctly wording queries.

The syntax of the Netscape ldapsearch utility is somewhat difficult.  To learn more about the correct syntax go to  http://developer.netscape.com/docs/manuals/directory/41/ag/find.htm and http://developer.netscape.com/docs/manuals/enterprise/mngserv/ldapsrch.htm.  The basic syntax of the utility is shown at the bottom of this document.  There are a couple of items to be careful of for SSL queries.  Since Netscape created the utility, they want you to use the certificate database from the Netscape browser.  The syntax for the query shows that I was using "A:\CERT7.DB".  This is the certificate database file that I pulled out of Communicator after importing my trusted root certificate from NDS.  The database is located in [netscape root directory]\users\[name of profile, like default].  Another file needs to accompany the certificate database.  This is the security module KEY3.DB.  It should be copied from the netscape profile directory to the same location as the certificate database used for the query.  Together, these two files provide the information the utility requires for SSL connections.  If you receive a -8174 error, it is likely that these files were not copied correctly, or that their contents is not correct.

The results of each of the four types of tests is shown below, as well as the syntax, and a copy of the results from the dstrace screen with LDAP options turned on.

In short, unauthenticated connections returned information only for the proxy user, because he can only see himself.  When a query is formed to log in as admin, who could see everything, results were returned for everything.  The query could have been formed to request all attributes, but it limited the search results to show the CN and DN only (see the last part of the search string).

These results may be inconsistent with the results seen in the Netscape browser and address book.  This is not something that Novell can explain, but that you need to contact Netscape for.  By using the command-line utility, you are able to force the authentication and whether to use SSL or not.  If you still aren't convinced that the connection is being made over a secure port, try disabling port 389 so the system has no choice but to bind through the secure port 636.  If it still works, then you are guaranteed to be making an SSL connection.  If it works, but you are seeing more or less information than you think you should be seeing, make sure your rights assignments are set properly.  Use the effective rights option in ConsoleOne to verify this.  

Once you have verified that this is working properly, then any application that returns different information is a fault in that application.  For example, the Netscape address book binds as 'anonymous' even when you try to log in.  This appears to be an issue with that product.
.

EXAMPLE OF TEST RESULTS AND SEARCH SYNTAX:
Test results, including both ldapsearch screens and DSTRACE screens with LDAP switches.  Results are returned in LDIF format.  As a note, these queries can easily be created as batch files which can then be edited in text editors like Notepad.  Then, run the batch file from the command prompt to prevent retyping the whole query each time.

*************AUTHENTICATED, NON-SECURE SEARCH***********************
A:\>ldapsearch -b o=novell -h 10.10.10.1 -D cn=admin,o=novell -w novell -E -u "cn=*" cn

version: 1
dn: cn=admin,o=novell
ufn: admin,novell
cn: admin

dn: cn=Bulkload,o=novell
ufn: Bulkload,novell
cn: Bulkload Object
cn: Bulkload

dn: cn=CKLINE-51,o=novell
ufn: CKLINE-51,novell
cn: CKLINE-51

dn: cn=CKLINE-51_SYS,o=novell
ufn: CKLINE-51_SYS,novell
cn: CKLINE-51_SYS

dn: cn=CKLINE-51_VOL1,o=novell
ufn: CKLINE-51_VOL1,novell
cn: CKLINE-51_VOL1

dn: cn=LDAP Group - CKLINE-51,o=novell
ufn: LDAP Group - CKLINE-51,novell
cn: LDAP Group - CKLINE-51

dn: cn=LDAP Server - CKLINE-51,o=novell
ufn: LDAP Server - CKLINE-51,novell
cn: LDAP Server - CKLINE-51

*************RESULTS ON DSTRACE SCREEN FROM ABOVE SEARCH***********************
Created new monitor 0x0
Monitor 0x1dd started
DoBind on connection 0xd044fac0
DoBind: name = 'cn=admin,o=novell', client version = 3, method = 0x80
send_ldap_result 0:"":"" to connection 0xd044fac0
DoSearch on connection 0xd044fac0
get_filter: begin get_filter
get_filter: PRESENT
SRCH base "o=novell" scope 2 deref 0
    sizelimit 0 timelimit 0 attrsonly 0
    filter: (cn=*)
    attrs:
          cn
nds_back_search: getOperationalAttrs is TRUE
=> send_search_entry (cn=admin,o=novell)
=> send_search_entry (cn=Bulkload,o=novell)
=> send_search_entry (cn=CKLINE-51,o=novell)
=> send_search_entry (cn=CKLINE-51_SYS,o=novell)
=> send_search_entry (cn=CKLINE-51_VOL1,o=novell)
=> send_search_entry (cn=LDAP Group - CKLINE-51,o=novell)
=> send_search_entry (cn=LDAP Server - CKLINE-51,o=novell)
send_ldap_result 0:"":"" to connection 0xd044fac0
DoUnbind on connection 0xd044fac0

*************ANONYMOUS, NON-SECURE SEARCH***********************
A:\>ldapsearch -b o=novell -h 10.10.10.1 -E -u "cn=*" cn

version: 1
dn: cn=proxy,o=novell
ufn: proxy,novell
cn: proxy

*************RESULTS ON DSTRACE SCREEN FROM ABOVE SEARCH***********************
DoSearch on connection 0xd044fac0
DoBind on connection 0xd044fac0
DoBind: name = 'anonymous', client version = 3, method = 0x80
get_filter: begin get_filter
get_filter: PRESENT
SRCH base "o=novell" scope 2 deref 0
    sizelimit 0 timelimit 0 attrsonly 0
    filter: (cn=*)
    attrs:
          cn
nds_back_search: getOperationalAttrs is TRUE
=> send_search_entry (cn=proxy,o=novell)
send_ldap_result 0:"":"" to connection 0xd044fac0
DoUnbind on connection 0xd044fac0

*************AUTHENTICATED, SECURE SEARCH***********************
A:\>ldapsearch -b "o=novell" -h 10.10.10.1 -p 636 -Z -P a:\cert7.db -D cn=admin,o=novell -w novell -E -u "cn=*" cn

version: 1
dn: cn=admin,o=novell
ufn: admin,novell
cn: admin

dn: cn=Bulkload,o=novell
ufn: Bulkload,novell
cn: Bulkload Object
cn: Bulkload

dn: cn=CKLINE-51,o=novell
ufn: CKLINE-51,novell
cn: CKLINE-51

dn: cn=CKLINE-51_SYS,o=novell
ufn: CKLINE-51_SYS,novell
cn: CKLINE-51_SYS

dn: cn=CKLINE-51_VOL1,o=novell
ufn: CKLINE-51_VOL1,novell
cn: CKLINE-51_VOL1

dn: cn=LDAP Group - CKLINE-51,o=novell
ufn: LDAP Group - CKLINE-51,novell
cn: LDAP Group - CKLINE-51

dn: cn=LDAP Server - CKLINE-51,o=novell
ufn: LDAP Server - CKLINE-51,novell
cn: LDAP Server - CKLINE-51

*************RESULTS ON DSTRACE SCREEN FROM ABOVE SEARCH***********************
DoBind on connection 0xd044fac0
DoBind: name = 'cn=admin,o=novell', client version = 3, method = 0x80
send_ldap_result 0:"":"" to connection 0xd044fac0
DoSearch on connection 0xd044fac0
get_filter: begin get_filter
get_filter: PRESENT
SRCH base "o=novell" scope 2 deref 0
    sizelimit 0 timelimit 0 attrsonly 0
    filter: (cn=*)
    attrs:
          cn
nds_back_search: getOperationalAttrs is TRUE
=> send_search_entry (cn=admin,o=novell)
=> send_search_entry (cn=Bulkload,o=novell)
=> send_search_entry (cn=CKLINE-51,o=novell)
=> send_search_entry (cn=CKLINE-51_SYS,o=novell)
=> send_search_entry (cn=CKLINE-51_VOL1,o=novell)
=> send_search_entry (cn=LDAP Group - CKLINE-51,o=novell)
=> send_search_entry (cn=LDAP Server - CKLINE-51,o=novell)
send_ldap_result 0:"":"" to connection 0xd044fac0
DoUnbind on connection 0xd044fac0

*************ANONYMOUS, SECURE SEARCH***********************
A:\>ldapsearch -b "o=novell" -h 10.10.10.1 -p 636 -Z -P a:\cert7.db -E -u "cn=*" cn

version: 1
dn: cn=proxy,o=novell
ufn: proxy,novell
cn: proxy

*************RESULTS ON DSTRACE SCREEN FROM ABOVE SEARCH***********************
DoSearch on connection 0xd044fac0
DoBind on connection 0xd044fac0
DoBind: name = 'anonymous', client version = 3, method = 0x80
get_filter: begin get_filter
get_filter: PRESENT
SRCH base "o=novell" scope 2 deref 0
    sizelimit 0 timelimit 0 attrsonly 0
    filter: (cn=*)
    attrs:
          cn
nds_back_search: getOperationalAttrs is TRUE
=> send_search_entry (cn=proxy,o=novell)
send_ldap_result 0:"":"" to connection 0xd044fac0
DoUnbind on connection 0xd044fac0

.

Netscape's LDAPSEARCH utility syntax
usage: ldapsearch -b basedn [options] filter [attributes...]
       ldapsearch -b basedn [options] -f file [attributes...]
where:
    basedn      base dn for search
                (if the environment variable LDAP_BASEDN is set,
                then the -b flag is not required)
    filter      RFC-2254 compliant LDAP search filter
    file        file containing a sequence of LDAP search filters to use
    attributes  whitespace-separated list of attributes to retrieve
                (if no attribute list is given, all are retrieved)
options:
 -n          show what would be done but don't actually do it
 -v          run in verbose mode (diagnostics to standard output)
 -h host     LDAP server name or IP address
 -p port     LDAP server TCP port number
 -V n        LDAP protocol version number (2 or 3; default is 3)
 -Z          make an SSL-encrypted connection
 -P pathname path to SSL certificate database
 -N          name of certificate to use for SSL client authentication
 -K pathname path to key database to use for SSL client authentication
 -m pathname path to security module database
 -W          SSL key password
 -Q [token][:certificate name]       PKCS 11
 -X pathname FORTEZZA compromised key list (CKL)
 -I pin      card password file
 -D binddn   bind dn
 -w passwd   bind passwd (for simple authentication)
 -E          ask server to expose (report) bind identity
 -R          do not automatically follow referrals
 -O hop lim  maximum number of referral hops to traverse
 -M          manage references (treat them as regular entries)
 -0          ignore LDAP library version mismatches
 -i charset  character set for command line input (default is locale)
 -k dir      conversion routine directory (default is .)
 -y proxydn  DN used for proxy authorization
 -H          display usage information
 -t          write values to files in temp directory.
 -U          produce file URLs in conjunction with -t
 -e          minimize base-64 encoding of values
 -u          include User Friendly entry names in the output
 -o          print entries using old format (default is LDIF)
 -T          don't fold (wrap) long lines (default is to fold)
 -1          omit leading "version: 1" line in LDIF output
 -A          retrieve attribute names only (no values)
 -B          print non-ASCII values when old format (-o) is used
 -x          performing sorting on server
 -F sep      print `sep' instead of `=' between attribute names and values
 -S attr     sort the results by attribute `attr'
 -s scope    one of base, one, or sub (search scope)
 -a deref    one of never, always, search, or find (alias dereferencing)
 -l time lim time limit (in seconds) for search
 -z size lim size limit (in entries) for search
 -G before:after:index:count | before:after:value where 'before' and
             'after' are the number of entries surrounding 'index.'
             'count' is the content count, 'value' is the search value.
.

See also: How to configure Netscape Communicator 4.x to allow secure LDAP queries (Solution 10055199)

document

Document Title:	How to test whether LDAP is working properly.
Document ID:	10059954
Solution ID:	NOVL38322
Creation Date:	23Jan2001
Modified Date:	05Feb2003
Novell Product Class:	Connectivity Products End of Life Groupware NetWare Novell BorderManager Services Novell eDirectory Other Web Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.