Home > Articles

  • Print
  • + Share This
This chapter is from the book

Tools

The following section covers several LDAP-based tools that should be in every Active Directory administrator's toolbox. These commonly available tools not only give administrators the ability to view information in Active Directory via LDAP, but also add, modify, and delete data in the directory.

LDAP Browser

The LDAP Browser is, as its name implies, a tool to browse the LDAP directory structure. The LDAP Browser is a Java application that requires Java 1.2 or greater to be installed. It has become widely used in the LDAP community because of its platform and directory independence. Figure 3.1 shows the login screen for the administrator account. Figure 3.2 shows the attributes returned after searching for the administrator user object. For more information, see http://www-unix.mcs.anl.gov/~gawor/ldap/.

Figure 3.1 Login screen for administrator account.

Figure 3.2 Attributes for administrator user object.

Active Directory Administration Tool (LDP)

The Active Directory Administration Tool, or LDP as it is more commonly known, is a crude yet powerful and feature rich tool for querying and viewing information in Active Directory via LDAP. While LDP is not as easy to maneuver around as the LDAP Browser, it does have additional functionality, such as the ability to view replication metadata and security descriptors for objects. One of the nice things about LDP, especially if you are just becoming familiar with the LDAP API, is that the right frame displays the LDAP calls that it is making for each action. Figures 3.3 and 3.4 show how to connect and bind as the administrator account. Figure 3.5 shows how LDP displays attributes for objects, in this case, for the administrator user object. LDP is available in the Windows 2000 Support Tools, which can be found on the Windows 2000 Server or Advanced Server CD-ROM in the \support\tools folder.

Figure 3.3 Connecting to dc1.xyz.com.

Figure 3.4 Binding as administrator.

Figure 3.5 Attributes for administrator user object.

LDIF Directory Exchange (LDIFDE)

The LDIF Directory Exchange (LDIFDE) is a great tool for importing and exporting data via LDIF. More information is available on LDIF later in the chapter. The following example shows how a user object can be created using LDIFDE.

C:\>type jdoe.ldif
# Add a new entry
dn: cn=jdoe, cn=users, dc=xyz, dc=com
changetype: add
objectclass: user
cn: jdoe
samaccountname: jdoe
userprincipalname: jdoe@xyz.com
sn: Doe
givenname: john
telephonenumber: +1 408 555 1212
C:\>ldifde -i -f jdoe.ldif
Connecting to "dc1.xyz.com"
Logging in as current user using SSPI
Importing directory from file "jdoe.ldif"
Loading entries..
1 entry modified successfully.
The command has completed successfully

LDIFDE also has searching capability. It can provide an easy means to test and view results for a query. By default, all available attributes are returned for matching objects, but a subset of attributes can be specified if required. The example below shows a search for all user objects that have a last name of "allen"; the output will be sent to "test.ldf."

C:\>ldifde -f allen.ldif -r "(&(objectclass=user)(objectcategory=User)(sn=allen))"
Connecting to "dc1.xyz.com"
Logging in as current user using SSPI
Exporting directory to file allen.ldif
Searching for entries...
Writing out entries.
1 entries exported

The command has completed successfully.

C:\>type allen.ldif
dn: CN=rallen,CN=Users,DC=xyz,DC=com
changetype: add
accountExpires: 9223372036854775807
badPasswordTime: 0
badPwdCount: 0
codePage: 0
cn: rallen
countryCode: 0
displayName: Robbie C. Allen
givenName: Robbie
initials: C
instanceType: 4
lastLogoff: 0
lastLogon: 0
logonCount: 0
distinguishedName: CN=rallen,CN=Users,DC=xyz,DC=com
objectCategory: 
N=Person,CN=Schema,CN=Configuration,DC=xyz,DC=com
objectClass: user
objectGUID:: na8r9cjKC0KzTpl+5r4NQw==
objectSid:: AQUAAAAAAAUVAAAAh0irbVS9SKG+x7O/XQQAAA==
primaryGroupID: 513
pwdLastSet: 126405152801406250
name: rallen
sAMAccountName: rallen
sAMAccountType: 805306368
sn: Allen
userAccountControl: 512
userPrincipalName: rallen@xyz.com
uSNChanged: 73062
uSNCreated: 73058
whenChanged: 20010725061440.0Z
whenCreated: 20010725061435.0Z
  • + Share This
  • 🔖 Save To Your Account