Three LDAP Browsers for the Asking
Saturday 8PM: "McNulty: LDAP Consultant." Jaye McNulty, ex-pastry chef, continuously thwarts major LDAP security threats in global corporations. Tonight's episode: "Corporation in Fear" has our hero and her assistant/off-hours nutritionist Tom-Bob fighting DIP (Data is Power)'s scheme to limit corporate directory searches to queries for area codes.
That action-packed drama, "McNutly: LDAP Consultant," is unlikely to be showing on TV any time soon. However, many business users do need to understand the mysteries of corporate data. In the last of our six articles on LDAP search, we will review the search capabilities of three LDAP browsers: LDP, Coral Directory and JXplorer. All of the browsers reviewed have features that appeal all levels of users -- novices as well as knowledgeable gurus. And finally, after all the practical discussions about LDAP search engines, we will provide a fast pass at the features we would like to see in our ideal browser. Who knows? there may be some reader or future vendor ready to make it happen!
An Unlikely Pair: LDP and Coral Directory
Microsoft's Active Directory Administration tool, LDP, is an Active Directory browser packaged with Windows XP, 2000, and 2003 Server CDs. Be forewarned -- the XP version is stripped down compared to the 2xxx version. Still, it is useful enough to perform most directory operations. The product has been available since 1996 making it one of the oldest LDAP browsers still in existence. We used the 3.0 version for testing. LDP and many other useful utilities are found in the CD's Support\Tools directory.
For XP and 2003, double-click suptools.msi to initiate the install. For Windows 2000, double-click setup.exe as Administrator to install the entire Support Tools set. See the following Knowledge Base articles for more details on the installation:
- 246926: "Folder Listing of the Support Tools Included in Windows 2000"
- 301423: "HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer"
Even though LDP supports the latest Active Directory features (a series in itself), it can also be used as a workhorse LDAP Browser. Note that LDP was designed for Windows 2xxx Administrators and not typical users. This may explain why the only assistance provided is a modest Word help document included on the CD. Unlike most Microsoft products, there are no help files within the LDAP browser itself. However, the venerable Microsoft Knowledge Base yields these gems packed with useful information:
- KB 224543 Using Ldp.exe to Find Data in the Active Directory
- KB 278422 How to Use the Windows 2000 LDP Support Tool to View the BaseDN
- KB 255602 Browsing and Querying Using the LDP Utility
Like many Microsoft utilities, LDP is usually started from the DOS command line. Once started, the LDP Utility appears with a menu and a blank screen. From the File menu, select "Connection". The connection dialog box then appears. You may then enter the server/port or re-use the last one. Unfortunately, there is no means to save multiple profiles. Messages will then appear in the Result Window, which is located on the right three-quarters of the screen. These messages are the ROOT DSE record specific entry. DSE stands for DSA or X.500-speak for directory server. This will tell you about your session and some information about your directory (such as server controls supported, the parent object classes (the abstract classes) etc). Select "Bind" from the "Connection" menu if you need to authenticate with a user id. The dialog box supports name, password and NT/Active Directory Domain. Clicking on the "Advanced" button allows selection of authentication types and methods. Once in the directory, you may change options for bind, search, pending, controls, many different connection options, sort keys, and font.
Use "Tree" under the View menu to view the entire LDAP tree. The tree will appear in the left half of the screen. To start a search, do any of the following: press Control- S, Select Search from the Browse menu, or right click on the desired level in the directory tree then select "Search." Once in the search window, you may specify search base, search filter in parentheses, and search scope. Other options may be specified at run time. A serious drawback to the program is that the program does not support any way search filter to saveing a search filter. The search results appear in the right half of screen. The only way to save these results is to cut and paste. The product sorely needs a built-in LDIF export. Knowledge Base 255602 talks about using a the separate cumbersome but powerful LDIFDE command line utility. LDP includes other features such as administration capabilities, virtual list view, compare, get last error, extended operations, a large integer converter utility, and, of course, lots of Active Directory goodies.
Overall, LDP is a good LDAP browser, but it is clearly meant for Active Directory administrators rather than general users. In its favor is the large installed base of Windows 2xxx/XP, so it is probably freely available at your company. If some of the missing features are important to you, then consider one of the other browsers discussed in the series.
Yet another LDAP Browser - Coral Directory
Coral Directory is a new LDAP Browser that bears close watching. Hans Maeda, the author, is actively working on the application. There were four updates in March alone. It is available as freeware in the United States and as shareware in Japan. The software explicitly supports Open LDAP and Sun/iPlanet Directory. The Current release is 1.32331.
Coral Directory uses Flat Buttons and Menus to get you to the appropriate functions. The Configure tab allows you to store and reuse vendor and user supplied configurations. Press the Connect (pine tree icon) at the bottom right to bind. A floating message window pops up during your session. Other Flat Buttons in the current version include edit, administration (including backup and recovery), schema view and help.
Coral's directory search offers the most comprehensive combination we've seen so far for all classes of users. It includes a pull-down on attribute, condition and value. The only thing missing is handling of multiple conditions (such as AND,OR,NOT). Hans Maeda (who has been reading this series) has plans to add the following features in future releases:
- Multiple search filters
- A search format that is closer to the ldapsearch command line version.
- Ability to save search filter pattern to a file and retrieve via a pull-down list.
These features should be available in the coming months.
Other Flat Buttons in the current version include edit, administration (including backup and recovery), schema view and help.
Since this product is still very much a work in progress, there are a number of minor issues that will most likely be addressed in the coming months. The application is in need for a true installer, it is not intuitive to create and save a new connection, we had to scroll up to see text for some windows, and there were sporadic DLL error messages in earlier releases. These are all minor compared to the overall positive user experience. Although this admittedly is not a finished product, it shows promise as a powerful and flexible browser when completed.
JXplorer - Sheer Power for the Masses
Space does not allow us to do justice to this product. JXplorer was originally sold as part of Computer Associate's eTrust Directory package. However, it was recently donated and transformed into an open source offering instead. It was created using Java and runs on Windows, Solaris, Linux, and OS390.
To create a configuration, you can enter the standard information in a default or DSML template (server name, user id, a rich list of authentication types, etc). Then click OK and your session begins. What makes Jxplorer unique is that it has two types of searches:
- A quick search, available on top of the menu. You can choose from selected attributes, operators, and then enter in your value. Results are either displayed in a friendly HTML or Table format that allows you to then (which can then do various administrative operations).
- A complex search, available under the Search menu or by pressing control-Fs. But even this gives you a choice of building a canned filter or creating your own. The canned filter can build complex search filters with multiple ANDs, ORrs, and NOTots. Other operators are described in plain English terms. You can also save and reuse search filters.
Jxplorer has an incredibly rich feature list. The following are just a few samples from the incredibly rich feature list:
- Branches cut and copy
- Export subtrees to LDIF
- A schema viewer API to extend the product - plug-in editors, viewers, and authentication schemes
- Display operation attributes for each attribute
- Support for multi-value relative distinguished names (as a rule you shouldn't be doing this)
- Full support for special and UTF-8 character sets support
- Multiple log levels and other administrative goodies
- Customized look and feel for menus
- Rich public key and binary object support
- Return attribute lists, and
- A rich help file/documentation set
This product has many features that will appeal to novices, but other advanced features that may be seen scare them away. A novice administrator might easily wipe out a crucial operation with tree operations. (Luckily, the default is safety mode, in which the user has to confirm tree operations.) Other concerns are that multiple configurations are not easy to save, the help functions are not context-sensitive, and the error/status messages are not useful or understandable.
JXEplorer is an extremely powerful directory that offers some useful and unique features. In its favor, it offers more customization capabilities than many of its counterparts. We hope that it continues to be enhanced for some time to come. If it continues to be developed by the open source community, it has the potential to be a very powerful LDAP tool.
Our Ideal Directory Browser
Having looked at all of the major LDAP browsers, we thought we would share our first thoughts about the features we'd like to see in our ideal LDAP directory browser:
- Flexible searches with both pull-down menus and a blank line for user created searches.
- A debugger for LDAP import/export, search, and administration operations.
- Interactive search tutorial, rich with examples for all types of users from novice to advanced.
- APIs for those who wish to customize their browser (such as adding their own viewer), or provide access through a program.
- More product documentation, including bulletin boards for search and product questions and a product FAQ (frequently asked questions).
- Schema/operation attributes viewer/editor.
- Ability to save and reuse searches.
- Ability to download and update a specified list of public LDAP directory servers access configurations.
- Easy to enable/disable anonymous user access.
- Ability to enable/disable specific directory server support.
- Easy-to-understand session and error messages. A list of messages and what to do about them in the product help rather than referring the user to hard to understand and frequently obscure RFCs.
- Multiple language support.
- Ability to inform a user of the search progress and a method of informing a user that a given search will likely take some time.
- Support of many imports/exports formats.
- Plug-in support for e-mail, schedulers, workflows, web browsers, etc
- Rich logging and reporting capabilities
None of the current offerings that were reviewed for this article were close to having even a fraction of the featured listed above. This list is just a starting point for a dialogue about the features that are important to include in a powerful LDAP search tool. We plan to continue enhancing this list. We welcome your thoughts on this as well.
After six articles and looking at many multiple browsers and LDAP search tools, hopefully you now have enough information to get you started using LDAP Search and browser applications. Even though LDAP search can be a powerful and useful tool for accessing distributed directory information, there is still much work to be done to perfect the available tools. We will continue to review products as they become available in this rapidly evolving area, and write down our thoughts on what to look for in an LDAP browser.. Some of these likely will be found here as well as under the tutorial section of ldapguru.net. Keep watching these spaces!
With the rise in E-business, the need for better network identity and single sign-on will continue to grow. These tools will become increasingly important in helping to shape how companies do business in the twenty-first century. For now, happy LDAP searching! May all your LDAP searches be as rewarding as you desire them to be.
- http://perl-ldap.sourceforge.net/rfc.html - One location (of many) to find LDAP
- http://www.emailman.com/ldap/public.html - List of public directories that you can use for testing queries.
- www.hawaii.edu/brownbags/ldap/ldap2.pdf - Good presentation on LDAP and LDAP search.
- LDAP Guru Links A great place for LDAP training tutorials. Our latest LDAP Browser activities will be found here.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in different industries including manufacturing, architecture, construction, engineering, software, telecommunications, and research. She is available for consulting to help your company identify the right IT infrastructure to meet your business objectives.
Hallett German is launching Alessea Consulting -- focusing on network identity, electronic directories/IT, and business development consulting. He has 20 years experience in a variety of IT positions and in implementing stable infrastructures. Hal is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. He would welcome the opportunity to solve your network identity, directory, IT and business challenges.