Three LDAP Browsers for the Asking
Getting your information in a directory is just half the battle: The other half is finding it. Here are three LDAP browsers, free of charge and up to the task of digging through your data.
Saturday 8PM: "McNulty: LDAP Consultant." Jaye McNulty, ex-pastry chef, continuously thwarts major LDAP security threats in global corporations. Tonight's episode: "Corporation in Fear" has our hero and her assistant/off-hours nutritionist Tom-Bob fighting DIP (Data is Power)'s scheme to limit corporate directory searches to queries for area codes.
That action-packed drama, "McNutly: LDAP Consultant," is unlikely to be showing on TV any time soon. However, many business users do need to understand the mysteries of corporate data. In the last of our six articles on LDAP search, we will review the search capabilities of three LDAP browsers: LDP, Coral Directory and JXplorer. All of the browsers reviewed have features that appeal all levels of users -- novices as well as knowledgeable gurus. And finally, after all the practical discussions about LDAP search engines, we will provide a fast pass at the features we would like to see in our ideal browser. Who knows? there may be some reader or future vendor ready to make it happen!
An Unlikely Pair: LDP and Coral Directory
Microsoft's Active Directory Administration tool, LDP, is an Active Directory browser packaged with Windows XP, 2000, and 2003 Server CDs. Be forewarned -- the XP version is stripped down compared to the 2xxx version. Still, it is useful enough to perform most directory operations. The product has been available since 1996 making it one of the oldest LDAP browsers still in existence. We used the 3.0 version for testing. LDP and many other useful utilities are found in the CD's Support\Tools directory.
For XP and 2003, double-click suptools.msi to initiate the install. For Windows 2000, double-click setup.exe as Administrator to install the entire Support Tools set. See the following Knowledge Base articles for more details on the installation:
- 246926: "Folder Listing of the Support Tools Included in Windows 2000"
- 301423: "HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer"
Even though LDP supports the latest Active Directory features (a series in itself), it can also be used as a workhorse LDAP Browser. Note that LDP was designed for Windows 2xxx Administrators and not typical users. This may explain why the only assistance provided is a modest Word help document included on the CD. Unlike most Microsoft products, there are no help files within the LDAP browser itself. However, the venerable Microsoft Knowledge Base yields these gems packed with useful information:
- KB 224543 Using Ldp.exe to Find Data in the Active Directory
- KB 278422 How to Use the Windows 2000 LDP Support Tool to View the BaseDN
- KB 255602 Browsing and Querying Using the LDP Utility
Like many Microsoft utilities, LDP is usually started from the DOS command line. Once started, the LDP Utility appears with a menu and a blank screen. From the File menu, select "Connection". The connection dialog box then appears. You may then enter the server/port or re-use the last one. Unfortunately, there is no means to save multiple profiles. Messages will then appear in the Result Window, which is located on the right three-quarters of the screen. These messages are the ROOT DSE record specific entry. DSE stands for DSA or X.500-speak for directory server. This will tell you about your session and some information about your directory (such as server controls supported, the parent object classes (the abstract classes) etc). Select "Bind" from the "Connection" menu if you need to authenticate with a user id. The dialog box supports name, password and NT/Active Directory Domain. Clicking on the "Advanced" button allows selection of authentication types and methods. Once in the directory, you may change options for bind, search, pending, controls, many different connection options, sort keys, and font.
Use "Tree" under the View menu to view the entire LDAP tree. The tree will appear in the left half of the screen. To start a search, do any of the following: press Control- S, Select Search from the Browse menu, or right click on the desired level in the directory tree then select "Search." Once in the search window, you may specify search base, search filter in parentheses, and search scope. Other options may be specified at run time. A serious drawback to the program is that the program does not support any way search filter to saveing a search filter. The search results appear in the right half of screen. The only way to save these results is to cut and paste. The product sorely needs a built-in LDIF export. Knowledge Base 255602 talks about using a the separate cumbersome but powerful LDIFDE command line utility. LDP includes other features such as administration capabilities, virtual list view, compare, get last error, extended operations, a large integer converter utility, and, of course, lots of Active Directory goodies.
Overall, LDP is a good LDAP browser, but it is clearly meant for Active Directory administrators rather than general users. In its favor is the large installed base of Windows 2xxx/XP, so it is probably freely available at your company. If some of the missing features are important to you, then consider one of the other browsers discussed in the series.