This chapter is from the book
This chapter is from the book
This chapter is from the book
Tools
The following section covers several LDAP-based tools that should be in every Active Directory administrator's toolbox. These commonly available tools not only give administrators the ability to view information in Active Directory via LDAP, but also add, modify, and delete data in the directory.
LDAP Browser
The LDAP Browser is, as its name implies, a tool to browse the LDAP directory structure. The LDAP Browser is a Java application that requires Java 1.2 or greater to be installed. It has become widely used in the LDAP community because of its platform and directory independence. Figure 3.1 shows the login screen for the administrator account. Figure 3.2 shows the attributes returned after searching for the administrator user object. For more information, see http://www-unix.mcs.anl.gov/~gawor/ldap/.
){kind=link}
){kind=link}
Figure 3.1 Login screen for administrator account.
Figure 3.2 Attributes for administrator user object.
Active Directory Administration Tool (LDP)
The Active Directory Administration Tool, or LDP as it is more commonly known, is a crude yet powerful and feature rich tool for querying and viewing information in Active Directory via LDAP. While LDP is not as easy to maneuver around as the LDAP Browser, it does have additional functionality, such as the ability to view replication metadata and security descriptors for objects. One of the nice things about LDP, especially if you are just becoming familiar with the LDAP API, is that the right frame displays the LDAP calls that it is making for each action. Figures 3.3 and 3.4 show how to connect and bind as the administrator account. Figure 3.5 shows how LDP displays attributes for objects, in this case, for the administrator user object. LDP is available in the Windows 2000 Support Tools, which can be found on the Windows 2000 Server or Advanced Server CD-ROM in the \support\tools folder.
){kind=link}
){kind=link}
){kind=link}
Figure 3.3 Connecting to dc1.xyz.com.
Figure 3.4 Binding as administrator.
Figure 3.5 Attributes for administrator user object.
LDIF Directory Exchange (LDIFDE)
The LDIF Directory Exchange (LDIFDE) is a great tool for importing and exporting data via LDIF. More information is available on LDIF later in the chapter. The following example shows how a user object can be created using LDIFDE.
C:\>type jdoe.ldif # Add a new entry dn: cn=jdoe, cn=users, dc=xyz, dc=com changetype: add objectclass: user cn: jdoe samaccountname: jdoe userprincipalname: jdoe@xyz.com sn: Doe givenname: john telephonenumber: +1 408 555 1212
C:\>ldifde -i -f jdoe.ldif Connecting to "dc1.xyz.com" Logging in as current user using SSPI Importing directory from file "jdoe.ldif" Loading entries.. 1 entry modified successfully. The command has completed successfully
LDIFDE also has searching capability. It can provide an easy means to test and view results for a query. By default, all available attributes are returned for matching objects, but a subset of attributes can be specified if required. The example below shows a search for all user objects that have a last name of "allen"; the output will be sent to "test.ldf."
C:\>ldifde -f allen.ldif -r "(&(objectclass=user)(objectcategory=User)(sn=allen))"
Connecting to "dc1.xyz.com" Logging in as current user using SSPI Exporting directory to file allen.ldif Searching for entries... Writing out entries. 1 entries exported
The command has completed successfully.
C:\>type allen.ldif dn: CN=rallen,CN=Users,DC=xyz,DC=com changetype: add accountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: rallen countryCode: 0 displayName: Robbie C. Allen givenName: Robbie initials: C instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=rallen,CN=Users,DC=xyz,DC=com objectCategory: N=Person,CN=Schema,CN=Configuration,DC=xyz,DC=com objectClass: user objectGUID:: na8r9cjKC0KzTpl+5r4NQw== objectSid:: AQUAAAAAAAUVAAAAh0irbVS9SKG+x7O/XQQAAA== primaryGroupID: 513 pwdLastSet: 126405152801406250 name: rallen sAMAccountName: rallen sAMAccountType: 805306368 sn: Allen userAccountControl: 512 userPrincipalName: rallen@xyz.com uSNChanged: 73062 uSNCreated: 73058 whenChanged: 20010725061440.0Z whenCreated: 20010725061435.0Z