Ldp |
Applies To: Windows Server 2008
Performs operations such as connect, bind, search, modify, add, delete against any Lightweight Directory Access Protocol (LDAP)-compatible directory, such as Active Directory Domain Services (AD DS). Ldp is an LDAP client that you use to view objects that are stored in AD DS along with their metadata, such as security descriptors and replication metadata.
Note |
Ldp is a graphical user interface (GUI)-based, Windows Explorer–like tool with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text that is displayed in the details pane can be selected with the mouse and copied to the Clipboard. |
Ldp is built into Windows Server 2008. It is available if you have the AD DS server role installed. To start ldp, click Start, click Run, type ldp and then click OK.
For examples of how to use this command, see Examples.
Finding required and optional values for an attribute
The schema defines objects as well as the attributes and permissible values for each. Schema classes that contain attribute information about objects can be viewed. To view this information, search cn=Schema,cn=Configuration,dc=ForestRootDomain for classSchema objects.
Understanding bind options for LDAP authentication
There are several authentication methods available in ldp that allow a client to bind to an LDAP server. The best method depends on several factors.
Method |
Description |
Simple |
Cleartext password. Try not to use this, as it is not secure. |
MSN |
MSN (Microsoft Network) authentication. This package brings up a dialog box to prompt the user for MSN credentials. |
DPA |
Normandy authentication, new MSN authentication. Same usage as MSN. |
NTLM |
Windows NT domain authentication. Use NULL credentials and attempt to use default logged-in user credentials. |
Sicily |
Negotiate with the server for any of: MSN, DPA, NTLM. Should be used for LDAPv2 servers only. |
Negotiate |
Use GSSAPI Negotiate package to negotiate security package of either Kerberos V5 or NTLM (or any other package the client and server negotiate). Pass in NULL credentials to specify default logged-in user. If Negotiate package is not installed on server or client, this will fall back to Sicily negotiation. |
Examples
Example 1: Add a new object to an LDAP directory
To add a user to Active Directory by using ldp:
- On the Browse menu, click Add child.
- In the Add dialog box, in the Dn input box, enter the distinguished name of the new object.
- In the Edit Entry section, add the new attributes and values. Click Enter after typing in each attribute and associated value:
Attribute |
Value |
userAccountControl |
512 |
ObjectClass |
User |
SamAccountName |
Testuser2 |
- To add the attribute or value combination to the Entry List box, click Edit.
- To add the information to Active Directory using LDAP APIs when all the attributes are entered, click Run.
Example 2: Search an LDAP directory
To search Active Directory by using ldp:
- On the Browse menu, click Search.
The Search dialog box opens.
In the following searches, the LDAP directory is AD DS. For user names, it contains a givenName attribute for first names, and an attribute of sn for last names.
- To search for all users that have a first name of John and a last name of either Smith or Jones, type the following in the Filter field:
Copy Code |
|
(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones)))) |
- To search for users that have a last name of Jones, but filter out those users that have a first name of John or Jane, and also filter out users that have not logged on at least 100 times, type the following in the Filter field. (The exclamation point (!) is the NOT operator.)
Copy Code |
|
(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100)) |
- To search for reserved characters as part of an attribute value, you must precede the reserved character with an escape character. Use the following escape characters to represent the associated characters:
Character |
Escape character |
* |
2a |
( |
28 |
) |
29 |
\ |
5c |
NUL |
00 |
- To search for all of the users whose display names end in a close parenthesis character, type the following in the Filter field:
Copy Code |
|
(&(objectClass=user)(displayName=*\29)) |
- To search for all users who have a surname that starts with the letter J, type the following in the Filter field. (Queries support the wildcard character (*).)
Copy Code |
|
(&(objectClass=user)(sn=j*)) |
- To search for users whose home directories are G:\Accounting, type the following in the Filter field. (The attribute name is home-directory.)
Copy Code |
|
(&(objectClass=user)(home-directory=G:\5cACCOUNTING*)) |
Example 3: Control the returns on a search of an LDAP directory
In this example, you use the Search Options dialog box to control which attributes are displayed in a search. Just a few attributes are displayed; the rest are filtered and do not display in the details window of ldp.
To control which attributes display:
- In the Attributes input box, type the attributes to display:
Copy Code |
|
"memberof;range:1-20"objectClass;objectGUID |
Note |
Separate attributes with a semicolon. No spaces are necessary. All other attributes will be filtered out of the display. |
Note |
A range is specified for the memberof attribute. Because a semicolon is used, the entire section must be separated from the rest of the attributes by quotation marks. |
All searches display only the memberof, objectClass, and objectGUID attributes in the details pane. To return all attributes, replace any existing list of attributes with the wildcard character (*).
Example 4: View replication metadata for an object
To list the replication metadata for an object in Active Directory:
- On the Browse menu, point to Replication and then click View Metadata.
The Replication Metadata dialog box opens. - In the Object DN field, enter the distinguished name of the object, and then click OK.
The output will look similar to the output in the following table.
AttID |
Ver |
Loc.USN |
Originating DSA |
Org.USN |
Org.Time/Date |
0 |
1 |
3693 |
9fad4c38-2d76-44b2-84f6-f2fe384f8450 |
3693 |
2000-12-29 09:15.02 |
3 |
1 |
3693 |
9fad4c38-2d76-44b2-84f6-f2fe384f8450 |
3693 |
2000-12-29 09:15.02 |
d |
1 |
3693 |
9fad4c38-2d76-44b2-84f6-f2fe384f8450 |
3693 |
2000-12-29 09:15.02 |
20001 |
1 |
3693 |
9fad4c38-2d76-44b2-84f6-f2fe384f8450 |
3693 |
2000-12-29 09:15.02 |
20002 |
1 |
3693 |
9fad4c38-2d76-44b2-84f6-f2fe384f8450 |
3693 |
2000-12-29 09:15.02 |