Ldp


Applies To: Windows Server 2008

Performs operations such as connect, bind, search, modify, add, delete against any Lightweight Directory Access Protocol (LDAP)-compatible directory, such as Active Directory Domain Services (AD DS). Ldp is an LDAP client that you use to view objects that are stored in AD DS along with their metadata, such as security descriptors and replication metadata.

Note

Ldp is a graphical user interface (GUI)-based, Windows Explorer–like tool with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text that is displayed in the details pane can be selected with the mouse and copied to the Clipboard.

Ldp is built into Windows Server 2008. It is available if you have the AD DS server role installed. To start ldp, click Start, click Run, type ldp and then click OK.

For examples of how to use this command, see Examples.

Finding required and optional values for an attribute

The schema defines objects as well as the attributes and permissible values for each. Schema classes that contain attribute information about objects can be viewed. To view this information, search cn=Schema,cn=Configuration,dc=ForestRootDomain for classSchema objects.

Understanding bind options for LDAP authentication

There are several authentication methods available in ldp that allow a client to bind to an LDAP server. The best method depends on several factors.

Method

Description

Simple

Cleartext password. Try not to use this, as it is not secure.

MSN

MSN (Microsoft Network) authentication. This package brings up a dialog box to prompt the user for MSN credentials.

DPA

Normandy authentication, new MSN authentication. Same usage as MSN.

NTLM

Windows NT domain authentication. Use NULL credentials and attempt to use default logged-in user credentials.

Sicily

Negotiate with the server for any of: MSN, DPA, NTLM. Should be used for LDAPv2 servers only.

Negotiate

Use GSSAPI Negotiate package to negotiate security package of either Kerberos V5 or NTLM (or any other package the client and server negotiate). Pass in NULL credentials to specify default logged-in user. If Negotiate package is not installed on server or client, this will fall back to Sicily negotiation.

Examples

Example 1: Add a new object to an LDAP directory

To add a user to Active Directory by using ldp:

  1. On the Browse menu, click Add child.

  2. In the Add dialog box, in the Dn input box, enter the distinguished name of the new object.

  3. In the Edit Entry section, add the new attributes and values. Click Enter after typing in each attribute and associated value:

Attribute

Value

userAccountControl

512

ObjectClass

User

SamAccountName

Testuser2

  1. To add the attribute or value combination to the Entry List box, click Edit.

  2. To add the information to Active Directory using LDAP APIs when all the attributes are entered, click Run.

Example 2: Search an LDAP directory

To search Active Directory by using ldp:

In the following searches, the LDAP directory is AD DS. For user names, it contains a givenName attribute for first names, and an attribute of sn for last names.


Copy Code

(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones))))


Copy Code

(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100))

Character

Escape character

*

2a

(

28

)

29

\

5c

NUL

00


Copy Code

(&(objectClass=user)(displayName=*\29))


Copy Code

(&(objectClass=user)(sn=j*))


Copy Code

(&(objectClass=user)(home-directory=G:\5cACCOUNTING*))

Example 3: Control the returns on a search of an LDAP directory

In this example, you use the Search Options dialog box to control which attributes are displayed in a search. Just a few attributes are displayed; the rest are filtered and do not display in the details window of ldp.

To control which attributes display:


Copy Code

"memberof;range:1-20"objectClass;objectGUID

Note

Separate attributes with a semicolon. No spaces are necessary. All other attributes will be filtered out of the display.

Note

A range is specified for the memberof attribute. Because a semicolon is used, the entire section must be separated from the rest of the attributes by quotation marks.

All searches display only the memberof, objectClass, and objectGUID attributes in the details pane. To return all attributes, replace any existing list of attributes with the wildcard character (*).

Example 4: View replication metadata for an object

To list the replication metadata for an object in Active Directory:

  1. On the Browse menu, point to Replication and then click View Metadata.

    The Replication Metadata dialog box opens.

  2. In the Object DN field, enter the distinguished name of the object, and then click OK.

    The output will look similar to the output in the following table.

AttID

Ver

Loc.USN

Originating DSA

Org.USN

Org.Time/Date

0

1

3693

9fad4c38-2d76-44b2-84f6-f2fe384f8450

3693

2000-12-29 09:15.02

3

1

3693

9fad4c38-2d76-44b2-84f6-f2fe384f8450

3693

2000-12-29 09:15.02

d

1

3693

9fad4c38-2d76-44b2-84f6-f2fe384f8450

3693

2000-12-29 09:15.02

20001

1

3693

9fad4c38-2d76-44b2-84f6-f2fe384f8450

3693

2000-12-29 09:15.02

20002

1

3693

9fad4c38-2d76-44b2-84f6-f2fe384f8450

3693

2000-12-29 09:15.02

Additional references

Command-Line Syntax Key