Ldp

Applies To: Windows Server 2008

Performs operations such as connect, bind, search, modify, add, delete against any Lightweight Directory Access Protocol (LDAP)-compatible directory, such as Active Directory Domain Services (AD DS). Ldp is an LDAP client that you use to view objects that are stored in AD DS along with their metadata, such as security descriptors and replication metadata.

$lib:\\ldp.bmp$ Note

Ldp is a graphical user interface (GUI)-based, Windows Explorer–like tool with a scope pane on the left that is used for navigating through the Active Directory namespace, and a details pane on the right that is used for displaying the results of the LDAP operations. Any text that is displayed in the details pane can be selected with the mouse and copied to the Clipboard.

Ldp is built into Windows Server 2008. It is available if you have the AD DS server role installed. To start ldp, click Start, click Run, type ldp and then click OK.

For examples of how to use this command, see Examples.

Finding required and optional values for an attribute

The schema defines objects as well as the attributes and permissible values for each. Schema classes that contain attribute information about objects can be viewed. To view this information, search cn=Schema,cn=Configuration,dc=ForestRootDomain for classSchema objects.

Understanding bind options for LDAP authentication

There are several authentication methods available in ldp that allow a client to bind to an LDAP server. The best method depends on several factors.

Method	Description
Simple	Cleartext password. Try not to use this, as it is not secure.
MSN	MSN (Microsoft Network) authentication. This package brings up a dialog box to prompt the user for MSN credentials.
DPA	Normandy authentication, new MSN authentication. Same usage as MSN.
NTLM	Windows NT domain authentication. Use NULL credentials and attempt to use default logged-in user credentials.
Sicily	Negotiate with the server for any of: MSN, DPA, NTLM. Should be used for LDAPv2 servers only.
Negotiate	Use GSSAPI Negotiate package to negotiate security package of either Kerberos V5 or NTLM (or any other package the client and server negotiate). Pass in NULL credentials to specify default logged-in user. If Negotiate package is not installed on server or client, this will fall back to Sicily negotiation.

Examples

Example 1: Add a new object to an LDAP directory

To add a user to Active Directory by using ldp:

On the Browse menu, click Add child.
In the Add dialog box, in the Dn input box, enter the distinguished name of the new object.
In the Edit Entry section, add the new attributes and values. Click Enter after typing in each attribute and associated value:

Attribute	Value
userAccountControl	512
ObjectClass	User
SamAccountName	Testuser2

To add the attribute or value combination to the Entry List box, click Edit.
To add the information to Active Directory using LDAP APIs when all the attributes are entered, click Run.

Example 2: Search an LDAP directory

To search Active Directory by using ldp:

On the Browse menu, click Search.

The Search dialog box opens.

In the following searches, the LDAP directory is AD DS. For user names, it contains a givenName attribute for first names, and an attribute of sn for last names.

To search for all users that have a first name of John and a last name of either Smith or Jones, type the following in the Filter field:

	$lib:\\ldp1.bmp$ Copy Code
(&(objectClass=user)(givenName=John)(\|(sn=Smith)(sn=Jones))))

To search for users that have a last name of Jones, but filter out those users that have a first name of John or Jane, and also filter out users that have not logged on at least 100 times, type the following in the Filter field. (The exclamation point (!) is the NOT operator.)

	$lib:\\ldp2.bmp$ Copy Code
(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100))

To search for reserved characters as part of an attribute value, you must precede the reserved character with an escape character. Use the following escape characters to represent the associated characters:

Character	Escape character
*	2a
(	28
)	29
\	5c
NUL	00

To search for all of the users whose display names end in a close parenthesis character, type the following in the Filter field:

	$lib:\\ldp3.bmp$ Copy Code
(&(objectClass=user)(displayName=*\29))

To search for all users who have a surname that starts with the letter J, type the following in the Filter field. (Queries support the wildcard character (*).)

	$lib:\\ldp4.bmp$ Copy Code
(&(objectClass=user)(sn=j*))

To search for users whose home directories are G:\Accounting, type the following in the Filter field. (The attribute name is home-directory.)

	$lib:\\ldp5.bmp$ Copy Code
(&(objectClass=user)(home-directory=G:\5cACCOUNTING*))

Example 3: Control the returns on a search of an LDAP directory

In this example, you use the Search Options dialog box to control which attributes are displayed in a search. Just a few attributes are displayed; the rest are filtered and do not display in the details window of ldp.

To control which attributes display:

In the Attributes input box, type the attributes to display:

	$lib:\\ldp6.bmp$ Copy Code
"memberof;range:1-20"objectClass;objectGUID

$lib:\\ldp7.bmp$ Note

Separate attributes with a semicolon. No spaces are necessary. All other attributes will be filtered out of the display.

$lib:\\ldp8.bmp$ Note

A range is specified for the memberof attribute. Because a semicolon is used, the entire section must be separated from the rest of the attributes by quotation marks.

All searches display only the memberof, objectClass, and objectGUID attributes in the details pane. To return all attributes, replace any existing list of attributes with the wildcard character (*).

Example 4: View replication metadata for an object

To list the replication metadata for an object in Active Directory:

On the Browse menu, point to Replication and then click View Metadata.

The Replication Metadata dialog box opens.
In the Object DN field, enter the distinguished name of the object, and then click OK.

The output will look similar to the output in the following table.

AttID	Ver	Loc.USN	Originating DSA	Org.USN	Org.Time/Date
0	1	3693	9fad4c38-2d76-44b2-84f6-f2fe384f8450	3693	2000-12-29 09:15.02
3	1	3693	9fad4c38-2d76-44b2-84f6-f2fe384f8450	3693	2000-12-29 09:15.02
d	1	3693	9fad4c38-2d76-44b2-84f6-f2fe384f8450	3693	2000-12-29 09:15.02
20001	1	3693	9fad4c38-2d76-44b2-84f6-f2fe384f8450	3693	2000-12-29 09:15.02
20002	1	3693	9fad4c38-2d76-44b2-84f6-f2fe384f8450	3693	2000-12-29 09:15.02

Additional references

Command-Line Syntax Key