Sunday, January 30, 2005

LDP, the LDAP Browser

The Windows Support Tools (on your CD) include a generic LDAP tool that is capable of accessing any RFC-compliant LDAP directory service. The tool is a executable and is called the LDAP Browser, or LDP.exe.
LDP is less convenient to use than ADSIEdit, but it has one strong point. Some LDAP operations are hidden by ADSIEdit, but you can see them with LDP.
Good advice: when doing your stuff in AD, and especially when securing partitions etc..., use LDP and ADSIEdit together. This way you have the best of both worlds.

Installing LDP:
1. Install the Support Tools.
2. At a client in the domain, open the Run window and enter LDP. This opens the LDP window.
3. Select CONNECTION BIND to open the Bind window.
4. Enter the administrator credentials for the domain or forest.
5. Click OK. The attributes associated with the RootDSE object appear in the right pane. These attributes show the structure and content of the directory on the server. (LDP will bind to your logon server. If you want to connect to another server, use the Connect option.)

Working with LDP:
1. From the menu, select VIEW TREE. This opens the Tree View window.
2. Under BaseDN, enter the distinguished name of the container you want to browse. For example, you can enter dc=company,dc=com to start at the top of the Domain naming context for the Company domain. You can also specify a lower container in the Active Directory.
As example, you can select the Users container by entering cn=Users,dc=Company,dc=com. The interface is not case sensitive so it dowes not matter if you type all in lowercase.
3. Click OK. The left pane of the window now shows the root of the container you entered. Click the + sign or double-click the name to expand the tree. This generates an LDAP query that enumerates all child objects in the container, which are listed in the tree in the left pane. It also generates a query for the attributes associated with the domain object.

LDP search for specific attributes:
1. Select BROWSE SEARCH from the main menu to open a search window.
2. In Base DN, enter the distinguished name of the container you want to search. You can enter the DN of the root domain or a tree if you want to search the entire tree. This will take some time in a large enterprise so go and get some coffee.
3. In Filter, enter the search criteria. LDAP expects to see Boolean operators such as & (AND) and (OR) at the beginning of the search string. For example, if you want to find all Users who are in the Sales department, you enter (&(objectclass=user)(department=sales)).
If you just want to search objects you entered the DN for, select Base. If you search in the base object and any objects directly under it, select One Level. If you want to search all containers under the base container, select Subtree. LDP cannot search a forest. You must select a base DN at the root of each tree in the forest and run the search multiple times.

LDP search and using wildcards:
LDP only accepts wildcards at the middle and the end of a filter. You can search for department=sal* or for department=sal*s but not for department=*les.

Interested? You can start with reading the following papers:
http://support.microsoft.com/kb/q224543/
http://support.microsoft.com/kb/244344
http://www.jsiinc.com/SUBK/tip5000/rh5081.htm
And for the true die-hards, you can always search Microsoft Technet.

No comments:

Post a Comment