Saturday 8PM: “McNulty: LDAP Consultant.” Jaye McNulty, ex-pastry chef,
continuously thwarts major LDAP security threats in global
corporations. Tonight’s episode: “Corporation in Fear” has our hero
and her assistant/off-hours nutritionist Tom-Bob fighting DIP (Data is
Power)’s scheme to limit corporate directory searches to queries for
That action-packed drama, “McNutly: LDAP Consultant,” is unlikely
to be showing on TV any time soon. However, many business users do
need to understand the mysteries of corporate data. In the last of our
six articles on LDAP search, we will review the search capabilities of
three LDAP browsers: LDP, Coral Directory and JXplorer. All of the
browsers reviewed have features that appeal all levels of users —
novices as well as knowledgeable gurus. And finally, after all the
practical discussions about LDAP search engines, we will provide a
fast pass at the features we would like to see in our ideal
browser. Who knows? there may be some reader or future vendor ready to
make it happen!
An Unlikely Pair: LDP and Coral Directory
Microsoft’s Active Directory Administration tool, LDP, is an Active
Directory browser packaged with Windows XP, 2000, and 2003 Server
CDs. Be forewarned — the XP version is stripped down compared to the
2xxx version. Still, it is useful enough to perform most directory
operations. The product has been available since 1996 making it one
of the oldest LDAP browsers still in existence. We used the 3.0
version for testing. LDP and many other useful utilities are found in
the CD’s SupportTools directory.
For XP and 2003, double-click suptools.msi to initiate the
install. For Windows 2000, double-click setup.exe as
Administrator to install the entire Support Tools set. See the
following Knowledge Base articles for more details on the
- 246926: “Folder Listing of the Support Tools Included in
- 301423: “HOW TO: Install the Windows 2000 Support Tools
to a Windows 2000 Server-Based Computer”
Even though LDP supports the latest Active Directory features (a
series in itself), it can also be used as a workhorse LDAP
Browser. Note that LDP was designed for Windows 2xxx Administrators
and not typical users. This may explain why the only assistance
provided is a modest Word help document included on the CD. Unlike
most Microsoft products, there are no help files within the LDAP
browser itself. However, the venerable Microsoft Knowledge Base yields
these gems packed with useful information:
- KB 224543 Using Ldp.exe to Find Data in the Active Directory
- KB 278422 How to Use the Windows 2000 LDP Support Tool to View the BaseDN
- KB 255602 Browsing and Querying Using the LDP Utility
Like many Microsoft utilities, LDP is usually started from the DOS
command line. Once started, the LDP Utility appears with a menu and a
blank screen. From the File menu, select “Connection”. The connection
dialog box then appears. You may then enter the server/port or re-use
the last one. Unfortunately, there is no means to save multiple
profiles. Messages will then appear in the Result Window, which is
located on the right three-quarters of the screen. These messages are
the ROOT DSE record specific entry. DSE stands for DSA or X.500-speak
for directory server. This will tell you about your session and some
information about your directory (such as server controls supported,
the parent object classes (the abstract classes) etc). Select “Bind”
from the “Connection” menu if you need to authenticate with a user
id. The dialog box supports name, password and NT/Active Directory
Domain. Clicking on the “Advanced” button allows selection of
authentication types and methods. Once in the directory, you may
change options for bind, search, pending, controls, many different
connection options, sort keys, and font.
Use “Tree” under the View menu to view the entire LDAP
tree. The tree will appear in the left half of the screen. To start a
search, do any of the following: press Control- S, Select Search from
the Browse menu, or right click on the desired level in the directory
tree then select “Search.” Once in the search window, you may
specify search base, search filter in parentheses, and search
scope. Other options may be specified at run time. A serious drawback
to the program is that the program does not support any way search
filter to saveing a search filter. The search results appear in the
right half of screen. The only way to save these results is to cut and
paste. The product sorely needs a built-in LDIF export. Knowledge Base
255602 talks about using a the separate cumbersome but powerful LDIFDE
command line utility. LDP includes other features such as
administration capabilities, virtual list view, compare, get last
error, extended operations, a large integer converter utility, and, of
course, lots of Active Directory goodies.
Overall, LDP is a good LDAP browser, but it is clearly meant for
Active Directory administrators rather than general users. In its
favor is the large installed base of Windows 2xxx/XP, so it is probably
freely available at your company. If some of the missing features are
important to you, then consider one of the other browsers discussed in
Yet another LDAP Browser – Coral Directory
Coral Directory is a new LDAP Browser that bears close watching. Hans
Maeda, the author, is actively working on the application. There were
four updates in March alone. It is available as freeware in the United
States and as shareware in Japan. The software explicitly supports
Open LDAP and Sun/iPlanet Directory. The Current release is 1.32331.
Coral Directory uses Flat Buttons and Menus to get you to the
appropriate functions. The Configure tab allows you to store
and reuse vendor and user supplied configurations. Press the Connect
(pine tree icon) at the bottom right to bind. A floating message
window pops up during your session. Other Flat Buttons in the current
version include edit, administration (including backup and recovery),
schema view and help.
Coral’s directory search offers the most comprehensive combination
we’ve seen so far for all classes of users. It includes a pull-down on
attribute, condition and value. The only thing missing is handling of
multiple conditions (such as AND,OR,NOT). Hans Maeda (who has been
reading this series) has plans to add the following features in future
- Multiple search filters
- A search format that is closer to the ldapsearch command line version.
- Ability to save search filter pattern to a file and retrieve via a pull-down list.
These features should be available in the coming months.
Other Flat Buttons in the current version include edit,
administration (including backup and recovery), schema view and help.
Since this product is still very much a work in progress, there are
a number of minor issues that will most likely be addressed in the
coming months. The application is in need for a true installer, it is
not intuitive to create and save a new connection, we had to scroll up
to see text for some windows, and there were sporadic DLL error
messages in earlier releases. These are all minor compared to the
overall positive user experience. Although this admittedly is not a
finished product, it shows promise as a powerful and flexible browser
JXplorer – Sheer Power for the Masses
Space does not allow us to do justice to this product. JXplorer
was originally sold as part of Computer Associate’s eTrust Directory
package. However, it was recently donated and transformed into an open
source offering instead. It was created using Java and runs on
Windows, Solaris, Linux, and OS390.
To create a configuration, you can enter the standard information in a
default or DSML template (server name, user id, a rich list of
authentication types, etc). Then click OK and your session begins.
What makes Jxplorer unique is that it has two types of searches:
- A quick search, available on top of the menu. You can choose from
selected attributes, operators, and then enter in your
value. Results are either displayed in a friendly HTML or Table
format that allows you to then (which can then do various
- A complex search, available under the Search menu or by
pressing control-Fs. But even this gives you a choice of
building a canned filter or creating your own. The canned filter can
build complex search filters with multiple ANDs, ORrs, and
NOTots. Other operators are described in plain English terms. You
can also save and reuse search filters.
Jxplorer has an incredibly rich feature list. The following are
just a few samples from the incredibly rich feature list:
- Branches cut and copy
- Export subtrees to LDIF
- A schema viewer API to extend the product – plug-in editors,
viewers, and authentication schemes
- Display operation attributes for each attribute
- Support for multi-value relative distinguished names (as a rule
you shouldn’t be doing this)
- Full support for special and UTF-8 character sets support
- Multiple log levels and other administrative goodies
- Customized look and feel for menus
- Rich public key and binary object support
- Return attribute lists, and
- A rich help file/documentation set
This product has many features that will appeal to novices, but other
advanced features that may be seen scare them away. A novice
administrator might easily wipe out a crucial operation with tree
operations. (Luckily, the default is safety mode, in which the user
has to confirm tree operations.) Other concerns are that multiple
configurations are not easy to save, the help functions are not
context-sensitive, and the error/status messages are not useful or
JXEplorer is an extremely powerful directory that offers some useful
and unique features. In its favor, it offers more customization
capabilities than many of its counterparts. We hope that it continues
to be enhanced for some time to come. If it continues to be developed
by the open source community, it has the potential to be a very
powerful LDAP tool.
Our Ideal Directory Browser
Having looked at all of the major LDAP browsers, we thought we would
share our first thoughts about the features we’d like to see in our
ideal LDAP directory browser:
- Flexible searches with both pull-down menus and a blank line for
user created searches.
- A debugger for LDAP import/export, search, and administration
- Interactive search tutorial, rich with examples for all types of
users from novice to advanced.
- APIs for those who wish to customize their browser (such as adding
their own viewer), or provide access through a program.
- More product documentation, including bulletin boards for search
and product questions and a product FAQ (frequently asked questions).
- Schema/operation attributes viewer/editor.
- Ability to save and reuse searches.
- Ability to download and update a specified list of public LDAP
directory servers access configurations.
- Easy to enable/disable anonymous user access.
- Ability to enable/disable specific directory server support.
- Easy-to-understand session and error messages. A list of messages
and what to do about them in the product help rather than referring
the user to hard to understand and frequently obscure RFCs.
- Multiple language support.
- Ability to inform a user of the search progress and a method of
informing a user that a given search will likely take some time.
- Support of many imports/exports formats.
- Plug-in support for e-mail, schedulers, workflows, web browsers,
- Rich logging and reporting capabilities
None of the current offerings that were reviewed for this article were
close to having even a fraction of the featured listed above. This
list is just a starting point for a dialogue about the features that
are important to include in a powerful LDAP search tool. We plan to
continue enhancing this list. We welcome your thoughts on this
After six articles and looking at many multiple browsers and LDAP
search tools, hopefully you now have enough information to get you
started using LDAP Search and browser applications. Even though LDAP
search can be a powerful and useful tool for accessing distributed
directory information, there is still much work to be done to perfect
the available tools. We will continue to review products as they
become available in this rapidly evolving area, and write down our
thoughts on what to look for in an LDAP browser.. Some of these likely
will be found here as well as under the tutorial section of ldapguru.net. Keep watching these
With the rise in E-business, the need for better network identity and
single sign-on will continue to grow. These tools will become
increasingly important in helping to shape how companies do business
in the twenty-first century. For now, happy LDAP searching! May all
your LDAP searches be as rewarding as you desire them to be.
- http://perl-ldap.sourceforge.net/rfc.html – One location (of many) to find LDAP
LDAP Public Directories
- http://www.emailman.com/ldap/public.html – List of public directories that you can use for testing queries.
- www.hawaii.edu/brownbags/ldap/ldap2.pdf – Good presentation on LDAP and LDAP
Microsoft Active Directory Admin Tool (Knowledge Base
- LDAP Guru Links
A great place for LDAP training tutorials. Our latest LDAP Browser
activities will be found here.
Beth Cohen is president of Luth Computer Specialists, Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in different industries including manufacturing, architecture, construction, engineering, software, telecommunications, and research. She is available for consulting to help your company identify the right IT infrastructure to meet your business objectives.
Hallett German is launching Alessea Consulting — focusing on network identity, electronic directories/IT, and business development consulting. He has 20 years experience in a variety of IT positions and in implementing stable infrastructures. Hal is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. He is the author of three books on scripting languages. He would welcome the opportunity to solve your network identity, directory, IT and business challenges.