Hi, World
I have one question about my recent work on LDAP.
Why I can't get tokenGroups back but can get other attributes back with following search against an AD server?
[root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "
ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName tokenGroups
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree
# filter: sAMAccountName=user1
# requesting: cn whenChanged userPrincipalName tokenGroups
#
# search result
search: 2
result: 1 Operations error
text: 00002120: SvcErr: DSID-03140293, problem 5012 (DIR_ERROR), data 0
# numResponses: 1
However, if I do NOT request tokenGroups attribute I get a successful response.
[root@fc11-lab ~]# ldapsearch -x -D "cn=admin,cn=Users,dc=jacky,dc=org,dc=cn" -b "cn=Users,dc=jacky,dc=org,dc=cn" -w 11111111 -H "
ldap://x.x.x.x:389" "sAMAccountName=user1" cn whenChanged userPrincipalName
# extended LDIF
#
# LDAPv3
# base <cn=Users,dc=jacky,dc=org,dc=cn> with scope subtree
# filter: sAMAccountName=user1
# requesting: cn whenChanged userPrincipalName
#
# user1, Users, jacky.org.cn
dn: CN=user1,CN=Users,DC=jacky,DC=org,DC=cn
cn: user1
whenChanged: 20121221012448.0Z
userPrincipalName:
user1@jacky.org.cn# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
I do see entry "CN=user1,CN=Users,DC=jacky,DC=org,DC=cn" has the attribute tokenGroups on AD.
Any thoughs? TIA
Thanks,
Jacky