How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I verify that a DS 5.x or 6 server is responding to LDAP requests without providing a password?

Last updated Apr 8, 2021

The purpose of this article is to provide information on verifying that a DS server is responding to LDAP requests without needing to authenticate or provide a password.

Verifying that a DS server is responding (DS 6.5 and later)

DS 6.5 and later servers provide health status checks for anonymous requests over HTTP and LDAP. This allows a remote application to check the health status of the DS server. See Release Notes › What's New in 6.5 (Monitoring) for further information.

You can monitor the health status of the DS server by reading the alive attribute of the root DSE. For example:

$ ./ldapsearch --hostname ds1.example.com --port 1389 --baseDN "" --searchScope base "(&)" alive dn: alive: true

See Administration Guide › Monitoring Health Status Anonymously Over LDAP for further information.

Verifying that a DS server is responding (Pre-DS 6.5)

You can verify that a DS server is responding in one of two ways:

  • Perform a base object search of the root entry, requesting the "1.1" pseudo attribute (which means return no attributes) in order to minimize the server's work and network usage. You can choose whether you want to authenticate; the default ACI does allow anonymous access to the root entry.
  • Perform an anonymous read of a user attribute (other than a password attribute); the ACIs allow anonymous read access.

Examples

Anonymous search of the root entry:

$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --baseDN "" --searchScope base "(objectclass=*)" 1.1

Authenticated search of the root entry:

$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --searchScope base "(objectclass=*)" 1.1

Anonymous read of a user attribute (dc):

$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" dc
Note

In situations where DS has surpassed low-disk threshold, the server will not be writing to disk, therefore not able to check if user authentications are failing. DS would continue to work but ordinary restricted user logins would fail.

See Also

How do I perform a heartbeat check against DS (All versions)?

How do I check if a backend is online in DS (All versions)?

Administration Guide › Configuring ACIs

Related Training

ForgeRock Directory Services Core Concepts (DS-400)

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.