Symantec Access Management

Some Helpful Queries for User Store and Provisioning Store Search 

01-02-2018 01:00 PM

Hi All,

 

I am sure we all come across searching user store and provisioning store on a regular basis. I am going to provide some helpful dxsearch queries that you can use against User Store (CA Directory) and Provisioning Store.

 

You can run these queries from CA Directory via command line.

 

Assumptions:

User Store - CA Directory

Base DN: ou=people,dc=ca,dc=com

User Store Port: 389

User Store Admin: uid=imadmin,ou=people,dc=ca,dc=com

User Store Host Name - userstorehostname

Provisioning Store Host Name - provdirhostname

DYN Endpoint - Endpoint1

OS: RHEL

 

Queries:

 

Count no. of global users in Provisioning Store:

 

dxsearch -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> eTGlobalUserName=* dxEntryCount 

 

Count no. of users in User Store:

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=ca,dc=com" -h userstorehostname -p 389 -w <password> uid=* dxEntryCount

 

Count no. of Accounts in a DYN Endpoint in Provisioning Store:

 

dxsearch -b "eTDYNDirectoryName=Endpoint1,eTNamespaceName=Endpoint1,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> eTDYNAccountName=* dxEntryCount

 

Count no. of Inclusions for a Endpoint in Provisioning Store:

 

dxsearch -b "eTSubordinateClass=eTDYNAccount,eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password>  eTSubordinateClassEntry=*eTNamespaceName\=Endpoint1* dxEntryCount

 

Count no. of Accounts for a Endpoint NOT Correlated to [deafult user] in Provisioning Store:

 

dxsearch -LLL -b "eTSuperiorClass=eTGlobalUser,eTInclusionContainerName=Inclusions,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> \(\&\(\!\(eTSuperiorClassEntry=*\[default*\)\)\(eTSubordinateClassEntry=*eTNamespaceName\=Endpoint1*\)\) dxEntryCount

 

Count no. of Members of a group in User Store:

 

dxsearch -b "ou=groups,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=ca,dc=com" -h userstorehostname -p 389 -w <password> cn=Application1 | grep uniqueMember: | wc -l

 

Search Members dn of a Group in User Store:

 

dxsearch -b "ou=groups,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=ca,dc=com" -h userstorehostname -p 389 -w <password> cn=Application1 | grep uniqueMember:

 

Search Users with a condition in User Store:

 

Return DN:

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=pep,dc=pvt" -h userstorehostname -p 389 -w <password> country="US" dn

 

Return Selected Attributes:

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=pep,dc=pvt" -h userstorehostname -p 389 -w <password> country="US" dn uid givenName sn cn

 

Return Complete Entry:

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=pep,dc=pvt" -h userstorehostname -p 389 -w <password> country="US"

 

Count:

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=pep,dc=pvt" -h userstorehostname -p 389 -w <password> country="US" dxEntryCount

 

Complex Condition:

 

(&(state=Texas)(country=US))

 

dxsearch -b "ou=people,dc=ca,dc=com" -D "uid=imadmin,ou=people,dc=pep,dc=pvt" -h userstorehostname -p 389 -w <password> \(\&\(state=Texas\)\(country=US\)\)

 

Search Global Users with a Provisioning Role in Provisioning Role:

 

Return dn:

 

dxsearch -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> eTRoleDN=*Role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im* dn

 

Return Complete Entry:

 

dxsearch -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> eTRoleDN=*Role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im*

 

Count:

 

dxsearch -b "eTGlobalUserContainerName=Global Users,eTNamespaceName=CommonObjects,dc=im,dc=etadb" -D "eTDSAContainerName=DSAs,eTNamespaceName=CommonObjects,dc=etadb" -h provdirhostname -p 20394 -w <password> eTRoleDN=*Role1,eTRoleContainerName=Roles,eTNamespaceName=CommonObjects,dc=im* dxEntryCount

 

 

PS: / is used as escape character in RHEL Command Line. It may not be required in windows command prompt or unix shell scripting.

 

Thanks,

Praveen Jain

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Comments

01-18-2018 02:37 AM

Very Helpful. Thanks for sharing Praveen. 

Ranga

01-16-2018 03:42 PM

This is very helpful. Thanks for taking the time to share Praveen.

01-04-2018 11:47 PM

Very helpful Praveen. Thanks for sharing

01-04-2018 11:24 AM

Thanks, Praveen.

 

The ldap searches related to provisioning roles and inclusions for an endpoint can be very helpful in preparing for a migration from a lower non-production environment (NPE) to a higher NPE or to a Prod/Pre-Prod environment. The queries are a quick means to validate the migrated directory content.

 

  Kudos for the help.

01-02-2018 03:16 PM

Thanks for sharing Praveen! Very helpful.

Related Entries and Links

No Related Resource entered.