How do I verify that a DS 6 server is responding to LDAP requests without providing a password?
The purpose of this article is to provide information on verifying that a DS server is responding to LDAP requests without needing to authenticate or provide a password.
Verifying that a DS server is responding (DS 6.5 and later)
DS 6.5 and later servers provide health status checks for anonymous requests over HTTP and LDAP. This allows a remote application to check the health status of the DS server. See What's New in 6.5 (Monitoring) for further information.
You can monitor the health status of the DS server by reading the alive attribute of the root DSE. For example:
$ ./ldapsearch --hostname ds.example.com --port 1389 --baseDN "" --searchScope base "(&)" alive dn: alive: trueSee Monitoring Health Status Anonymously Over LDAP for further information.
Verifying that a DS server is responding (DS 6)
You can verify that a DS server is responding in one of two ways:
- Perform a base object search of the root entry, requesting the "1.1" pseudo attribute (which means return no attributes) in order to minimize the server's work and network usage. You can choose whether you want to authenticate; the default ACI does allow anonymous access to the root entry.
- Perform an anonymous read of a user attribute (other than a password attribute); the ACIs allow anonymous read access.
Examples
Anonymous search of the root entry:
$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --baseDN "" --searchScope base "(objectclass=*)" 1.1Authenticated search of the root entry:
$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --bindDN "cn=Directory Manager" --bindPassword password --baseDN "" --searchScope base "(objectclass=*)" 1.1Anonymous read of a user attribute (dc):
$ ./ldapsearch --hostname localhost --port 1636 --useSsl --trustAll --baseDN dc=example,dc=com --searchScope base "(objectclass=*)" dcNote
In situations where DS has surpassed low-disk threshold, the server will not be writing to disk, therefore not able to check if user authentications are failing. DS would continue to work but ordinary restricted user logins would fail.
See Also
How do I perform a heartbeat check against DS (All versions)?
How do I check if a backend is online in DS (All versions)?
Related Training
ForgeRock Directory Services Core Concepts (DS-400)
Related Issue Tracker IDs
N/A