LDAP Searches Provide a Gateway to Company Data - Page 3
LDAP Search Tips, Tricks and Traps
Some tips for administrators. Many LDAP searches also provide administrators with operational attribute settings, which can affect overall performance. These operational attribute settings are generally not accessible to most users. Persistent search returns results only when an attribute value changes (such as a telephone number). Finally, Virtual List View (VLV) sends the search results in subsets, which users can browse. LDAP searches can also be initiated from your Web browser as a URL. See RFC 2255 for more details.
You may want to confirm which LDAP 3 extensions are supported by your server. These could influence search time and results. For example, server-side sorting operations complete before the search result is sent back to the user.
Are you regularly checking your logs to determine what searches are running, who is running them, and the time to completion? This will give you an idea if your CPU/disk space/directory configuration settings are optimized. Most directories have log analysis utilities to aid you. Are you looking at the directory statistics to understand which searches initiated completed, and what the search entries returned? If you are having trouble with your search failing or returning incorrect data, check the following:
- Is my scope incorrect, too vague or too restrictive?
- Does the record and attributes actually exist?
- Is the record found under my search base?
- Do I have the right directory, port, or bind id?
- Is there a firewall blocking access from servers to complete the search?
- Is the directory and directory replication operational at this time?
- Is there an access control list overriding my query search or response?
We have just started exploring the power and promise of the LDAP search tools. Now that you have had a taste of the ease of using LDAP utilities to manage your user ID databases, over the next set of articles, we will cover search filters, the meat of the search mechanism: the search filter syntax, and searching with popular browsing and messaging software. Just think about the power LDAP searches give you to find buried treasure in your company's LDAP directories.
http://www.hawaii.edu/brownbags/ldap/ldap2.pdf Good presentation on LDAP and LDAP search.
http://www.hawaii.edu/ldap/details.html Good overview of LDAP URL syntax with examples.
The LDAP search syntax and operation is covered in detail in RFCs 2251 and 2254. A revised version of the search filter syntax is being prepared by the IETF LDAPBIS group.
http://perlldap.sourceforge.net/rfc.html One location (of many) to find LDAP information
http://www.ietf.org/ids.by.wg/ldapbis An IETF standard group revising the LDAP v3 protocol. You can join their active mailing list to stay current.
LDAP Public Directories
http://www.emailman.com/ldap/public.html List of public directories available for testing queries.
Beth Cohen is president of Luth Computer Specialists Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing articles and a book about IT for the small enterprise.
Hallett German will soon launch Alessea Consulting focusing on network identity, electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He is always on the lookout for challenging opportunities that will expand his directory, networking and security skills.