Where you should use the values in the flexVDI Terminal Policy you are debugging:
After -h write the value of "Server IP"
After -p write the value of "Server port".
After -b write the value of "Realm" (this is the point of the ldap tree under which entries will be searched)
After -D write the value of "Proxy user"
After -w write the value of "Proxy password".
Instead of cn (in cn=testUser1) you have to use the value in the "Entry rdn" box. For example, in windows systems you typically use a terminal policy with "Entry rdn==samaccountname", so you would use samaccountname=testUser1 in your command as the search condition.
"cn dn description samaccountname" are some relevant fields in an ldap that we are requesting to be shown.
If everything is right, your line will show you the values of "cn dn description samaccountname" of the entry for the specified user in your directory. Otherwise, you have to tweak the parameters to know what is wrong. For instance:
you can change the search condition from "cn=testUser1" to "*" so that you are shown all the entries in the ldap.
you can use '*' instead of "cn dn description samaccountname" at the end of the line to show all the fields in the ldap.
For security, you should use -W instead of "-w 'yourPassword'" so that you are prompted for the password instead of specifying it at the command line.
Active Directory is a directory service provider that implements the LDAP (Lightweight Directory Access Protocol) application protocol for querying and modifying items in a directory service. It is commonly used in MS Windows environments. Active Directory is supported by flexVDI as user directory server for authenticating users and storing user and group desktop policy configuration.
In most LDAP implementations, cn is the field in the ldap used as id of the users. MS Windows OS uses sAMAccountname field as user name, so if you are using an Active Directory server, you probably want to use sAMAccountname as flexVDI "Entry rdn" so that Windows and flexVDI use thesame field as user name.
When using LDAPS, the ldapsarch command can be instructed about the CA certificate it has to trust, storing it in the environment variable named LDAPTLS_CACERT with a command like:
Q: Users get an error message "Authentication error, contact your system administrator." and the "Test AD/LDAP Authentication" returns "Authentication test failed: Failed to communicate with the LDAP server at ldap.example.com:636.ldap.example.com:636
A: flexVDI Manager does not trust the certificate used by the ldaps server. Some causes for these are:
The server certificate, or any of the certificates in the trust chain up to the CA may have expired.
The server is using a new certificate, and you are using an old versión of flexVDI Manager that does not include recent CA certificates.
Keep in mind that flexVDI Manager runs on a JVM, so it uses the JVM trust store, and not the same trust store that ldapsearch command uses.
For solving this, you can:
Update your flexVDI manager so that it contains more up to date certificate.
Update the trusted certificates of your flexVDI manager VM running: “yum update ca-certificates && systemctl restart flexvdi-manager”