MORE INFORMATION
Connecting and Binding to the Directory
To query most directories by using the LDP utility, you must first connect to the directory and then bind to the directory to authenticate yourself to the directory.
Connecting to the Directory
If you click
Connect on the
Connections menu, a dialog box is displayed in which you can type a directory server name. If you click
OK without specifying a server, LDP connects you to the last server that you accessed, or your logon server (LOGONSERVER). To determine your logon server, type
SET at a command prompt.
After you connect, the directory sends "RootDSE" information about itself. The following is a truncated example of RootDSE information:
ld = ldap_open("win2000-dc-01", 389);
Established connection to win2000-dc-01.
Retrieving base DSA information...
Result <0>: (null)
Matched DNs:
Getting 1 entries:
>> Dn:
1> currentTime: 2/24/2000 20:30:12 Pacific Standard Time Pacific Daylight Time;
3> namingContexts: DC=redmond,DC=wa,DC=microsoft,DC=com; CN=Schema,CN=Configuration,DC=wa,DC=microsoft,DC=com; CN=Configuration,DC=wa,DC=microsoft,DC=com;
1> defaultNamingContext: DC=redmond,DC=wa,DC=microsoft,DC=com;
1> rootDomainNamingContext: DC=corp,DC=microsoft,DC=com;
2> supportedLDAPVersion: 3; 2;
1> dnsHostName: WIN2000-DC-01.redmond.wa.microsoft.com;
RootDSE information provides the information that you need to begin to browse the directory. Pay special attention to the defaultNamingContext entry.
NOTE: No RootDSE information is generated if you disable the
Auto Base DN Query option. To disable the
Auto Base DN Query option, click
General in the
Options dialog box, and then disable the
Auto Base DN Query option. If you disable this option, you also prevent LDP from automatically connecting to your logon server.
Binding to the Directory
If you click
Bind on the
Connections menu, you can authenticate yourself to the directory. When you connect to the directory you establish communication, but you have not presented any authenticating credentials. Most directories provide very limited access to their information until you authenticate yourself by using the
Bind option on the
Connections menu.
NOTE: In the
Connect dialog box, if you click to select the
Connectionless check box, and you are unable to bind to the directory and you receive the following error message:
Error <2>: ldap_bind_s() failed: Protocol Error
After you bind to the directory, the information that is displayed is dependent on the permissions that are assigned to your user account. Parts of the directory tree and attributes of specific objects to which you are denied access are not displayed. Do not assume that because you cannot see an object or attribute, the object or attribute does not exist.
An LDAP directory is organized in a hierarchy that is similar to the hierarchy of folders in a file system. The following entry is similar to a file system path:
DC=redmond,DC=wa,DC=microsoft,DC=com
If this were a file system path, it might be written as the following:
Containers and objects in a directory are of specific types. Among the most commonly used types are the DC (Domain Component), CN (Common Name), and OU (Organizational Unit) types. You must correctly identify the type when you refer to a container or object in an LDAP query.
Viewing the Directory Tree Structure
On the
View menu, click
Tree. You are prompted to supply a base Distinguished Name (DN). If the
Auto Base DN Query option is enabled, click
OK to connect to the defaultNamingContext as your relative tree root. You can also type a base DN, or copy and paste one from the RootDSE information.
The directory tree is displayed in the left pane of the LDP utility, and you can expand the directory tree to look at subcontainers and objects. When you double-click an object in the directory tree, the attribute information is displayed in the results pane on the right. Results are formatted differently depending on whether the
Value Parsing option is set to
String or
Binary. (To set the
Value Parsing option, click
General in the
Options dialog box, and then change the
Value Parsing option.) To browse most attributes, the
String setting provides more readable formatting. With string formatting, some attributes may be displayed as the following:
If you need to see the actual data for these attributes, switch to binary value parsing.
Older results scroll out of the results buffer to make room for new information. Under
Buffer Size, increase the
Page value to retain more information. (To change the
Buffer Size option, click
General in the
Options dialog box, and then under
Buffer Size, change the
Page value as necessary.) You can save the current results as plain text by clicking
Connections, and then clicking
Save As.
You can clear your search results buffer by clicking
Connections, and then clicking
New. This does not unbind you from your current server.
Searching for Objects
If you want to export the entire contents of a large directory, the LDP utility is not the most effective utility. You can use the LDIFDE utility to export entries from Active Directory. For additional information about the LDIFDE utility, click the article number below
to view the article in the Microsoft Knowledge Base:
237677 Using LDIFDE to Import/Export Directory Objects to the Active Directory
The Exchange Server Administrator program in Exchange Server version 5.5 has its own bulk export facilities. For additional information about frequently asked questions on Exchange Server 5.5 import and export, click the article number below
to view the article in the Microsoft Knowledge Base:
155414 XADM: Bulk Import/Export FAQ
The LDP utility is very useful for searching and filtering on specific objects if you understand its query syntax.
When you click
Search on the
Browse menu, a dialog box is displayed in which you can set the
Base DN,
Filter, and
Scope settings for your query.
The
Base DN setting defines where in the directory tree the search begins. If you use the file system folder analogy, the
Base DN setting defines the subfolder at which the search begins. The most commonly used base DN for an Active Directory search is the
CN=Users,DC=.... container.
NOTE: You can cut and paste from RootDSE information or other results information to avoid typing long base DN values.
The
Scope setting determines how far down in the directory tree to search. By default, the
Scope is set to
One Level, which is like searching the current folder in a file system. A one level search does not include the base DN object itself. To see the attributes of the base DN object, you must set the
Scope to
Base, or double-click the
Base object in the directory tree view. If you set the
Scope to
Subtree, it is like searching the current folder and all of the subfolders of a file system.
The
Filter box allows you to construct queries. The following table lists the most commonly used LDAP query operators.
& logical and
| logical or
! logical not
= equal to
~= approximately equal to
>= equal to or greater than
<= less than or equal to
Most people find that the syntax of LDAP queries takes some getting used to, because operators are usually placed before rather than between operands. If an LDAP query expresses 2 + 2 = 4, it is written (+(2)(2)) = 4.
All of the query filters are enclosed by opening and closing parentheses. Complex filters often contain several nested levels of parentheses. You must be sure that you supply all of the required parentheses, or your search does not work.
The logical AND and OR operators always refer to two or more search terms, and are placed before the terms that they affect. A simple visual rule may help you use AND and OR correctly; AND and OR should always be immediately followed by an open parenthesis, rather than placed directly next to an attribute name.
For example, if you want to search for all of the users who have first names of John AND last names of either Smith OR Jones, the filter is similar to the following:
(&(objectClass=user)(givenName=John)(|(sn=Smith)(sn=Jones)))
The ! sign (the NOT operator) can be applied to a single term, as in the following example:
(&(objectClass=user)(sn=Jones)(!givenName=John)(!givenName=Jane)(!logonCount<=100))
The above filter finds users who have the surname Jones whose given name is neither John nor Mary and who have logged on no less than 101 times.
Queries also support asterisk wildcards. The following search returns all of the users who have surnames that start with the letter J:
(&(objectClass=user)(sn=j*))
The LDP utility searches are not case sensitive, and you can search by using leading and trailing asterisks (*string*) to find substrings in the middle of a value. Such searches take much longer to complete. When possible, use either a leading or trailing wildcard character, but not both.
You can use a wildcard by itself to test for the existence or absence of a given attribute. If you want to find all of the users who do not have an Exchange Server mailbox, you can find them by using the following query because these users lack an
msExchHomeServerName value:
(&(objectClass=user)(!msExchHomeServerName=*))
The escape character in a query is the backslash (\). This is a reserved character, along with * ( ) and NUL. To search for reserved characters as part of an attribute value, you must precede the reserved characters with the escape character and one of the following numeric codes for each reserved character:
* 2a
( 28
) 29
\ 5c
NUL 00
For example, if you want to search for all of the users whose display names end in a close parenthesis character, use the following search:
(&(objectClass=user)(displayName=*\29))
If you want to find users whose home directories are G:\Accounting, use the following search:
(&(objectClass=user)(home-directory=G:\5cACCOUNTING*))
In an LDAP query, a backslash always signifies an escape character, never an actual backslash.
If you are interested in only a particular attribute or few attributes, you can filter the rest so that they are not displayed in the results window by clicking
Options in the
Search dialog box. In
Options, list the attributes that you want to be displayed, and separate each with a semicolon. For example:
msExchHomeServerName;DisplayName;Home-Directory;
If you leave the
Attributes list blank or if it is an asterisk, all of the attributes to which you have access are displayed for every object returned by a query.
NOTE: The LDP utility does not separate the objects that are returned by a query with a blank line. When you look through search results, look for the leading >> characters to indicate the beginning of the next object in the list.
Discovering Attribute Names
The schema lists all of the possible attributes that objects in the directory can have, and defines their relationships. The base DN of the
Schema container is listed with the RootDSE information. If you open a directory tree view with this DN, you can discover interesting attributes and verify naming (for example, whether the home directory attribute name is HomeDirectory or Home-Directory).
If you do not have rights to view the schema, you can browse through all of the attributes on random objects to get a good idea of the commonly used attributes for a particular directory.