samkhya.cloud :: ad-sandbox
online

AD Sandbox Directory

AD-oriented LDAP lab for Harbor, MSR, and MKE testing with Global groups, Domain Local groups, nested membership, and reusable bind accounts.

Harbor / MSR4 Setup
Directory Type
Samba Active Directory
LDAP URL
ldaps://ad-sandbox.samkhya.cloud:636
Base DN
DC=ad-sandbox,DC=samkhya,DC=cloud
LDAP Search DN
svc.harborbind@ad-sandbox.samkhya.cloud
LDAP UID
sAMAccountName
LDAP Scope
Subtree
Group Base DN
OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
Group Filter
(objectClass=group)
Group Membership
member
Working repro query: (&(objectClass=group)(|(cn=GG-Harbor-DirectUser)(cn=DL-Harbor-DirectUser)(cn=DL-Harbor-NestedTarget)))

Endpoints

Public and internal connection targets for external product testing and in-cluster troubleshooting.

External LDAPS
ldaps://ad-sandbox.samkhya.cloud:636
Internal LDAP
ldap://ad-sandbox.ad-sandbox.svc.cluster.local:389
Internal Global Catalog
ldap://ad-sandbox.ad-sandbox.svc.cluster.local:3268

Active OUs

AD layout is intentionally compact: one lab OU, one user OU, one group OU, and one service account OU.

Lab
OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
Users
OU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
Groups
OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
Service Accounts
OU=Service Accounts,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud

Test Users

Public inventory only. Passwords are intentionally redacted on the web page.

UsernamePasswordFull NameSearch Base
lab.hannah[REDACTED]Hannah HarborOU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
eng.fry[REDACTED]Philip FryOU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
ops.leela[REDACTED]Turanga LeelaOU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
qa.amy[REDACTED]Amy WongOU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
ro.lucas[REDACTED]Lucas LightOU=Users,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud
svc.harborbind[REDACTED]Harbor BindOU=Service Accounts,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud

Group Layout

This sandbox intentionally includes both direct and nested AD group cases for Harbor and MSR authorization testing.

GroupScopeMembers / Purpose
CN=GG-Harbor-DirectUser,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudGloballab.hannah direct membership repro
CN=DL-Harbor-DirectUser,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudDomain Locallab.hannah direct membership repro
CN=GG-Harbor-NestedSource,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudGloballab.hannah nested source
CN=DL-Harbor-NestedTarget,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudDomain Localcontains GG-Harbor-NestedSource
CN=DL-MSR-ProjectA,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudDomain Localcontains GG-Engineering and GG-Harbor-NestedSource
CN=DL-MSR-ProjectB,OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloudDomain Localops.leela direct membership

Harbor Repro

The seeded `lab.hannah` user is present in one Global group, one Domain Local group, and one nested Global-to-Domain-Local chain.

Expected pattern
memberOf should show GG-Harbor-DirectUser and DL-Harbor-DirectUser.
DL-Harbor-NestedTarget is the AD-specific nested case that may diverge if an app does direct LDAP comparison instead of AD transitive evaluation.

LDAP Queries

Use these to compare what the directory exposes versus what the application actually authorizes.

User Query
ldapsearch -x -H ldaps://ad-sandbox.samkhya.cloud:636 \
  -D "svc.harborbind@ad-sandbox.samkhya.cloud" \
  -w '[REDACTED]' \
  -b "DC=ad-sandbox,DC=samkhya,DC=cloud" \
  "(&(objectClass=user)(sAMAccountName=lab.hannah))" \
  distinguishedName memberOf
Group Query
ldapsearch -x -H ldaps://ad-sandbox.samkhya.cloud:636 \
  -D "svc.harborbind@ad-sandbox.samkhya.cloud" \
  -w '[REDACTED]' \
  -b "OU=Groups,OU=Lab,DC=ad-sandbox,DC=samkhya,DC=cloud" \
  "(&(objectClass=group)(|(cn=GG-Harbor-DirectUser)(cn=DL-Harbor-DirectUser)(cn=DL-Harbor-NestedTarget)))" \
  cn member groupType