LDAP query Basics

This articleArticleThe query of the Lightweight Directory Access Protocol (Lightweight Directory Access Protocol-LDAP) is discussed. this technique is useful when you troubleshoot the relationship between Microsoft Exchange server and its directory, but it is not easy to understand. this article provides basic knowledge about LDAP queries.

 

LDAP syntax Basics

==================

= (Equal)

This LDAP parameter indicates that a property is equal to a certain value. This condition must be true. For example, if you want to find an object with all names (firstname) as John, you should use:

(Givenname = John)

This will return all objects whose first name is John. The brackets here are used to emphasize the start and end positions of the LDAP statement.

 

& (Logical and)

You can use this syntax when multiple conditions need to be met. for example, if you want to find all the people whose first name is John and who live in Dallas, you should use the following:

(& (Givenname = John) (L = Dallas ))

Note that each parameter has its own set of brackets. the entire LDAP statement must be surrounded by a set of brackets. the & operator here means that for the object you query, every parameter condition in the filter you specify must be true.

 

! (Logical not)

This operator is used to exclude objects that meet certain conditions. Suppose you need to find all objects whose first name is john. You need to use the following statement:

(! Givenname = John)

This statement will find all objects whose first name is not John. Note! The operator is directly placed before the parameter and placed in the brackets. Because this statement only contains one parameter, it is surrounded by brackets to illustrate the problem.

 

* (Wildcard)
You use the wildcard operator to represent a value that cocould be equal to anything. One such situation might be if you wanted to find all objects that have a value for title. You wowould then use:

You can use the wildcard operator to represent a value that can be equal to any value. one possible scenario is that you want to find all (with values) objects with the title value set. you should use:

(Title = *)

This will return all objects with values in the title attribute. In another example, if you know that the first name of an object starts with Jo, you can use the following query statement to find such an object.

(Givenname = Jo *)

This wocould apply to all objects whose first name starts with Jo. This query will be performed on all first name objects starting with Jo.

 

The following are more advanced examples of LDAP Syntax:

You need a filter to find all objects in Dallas or Austin, and the first name must be John. The filter should be:

(& (Givenname = John) (| (L = Dallas) (L = Austin )))

 

You have received 9548 events in Application log, and you need to find all the objects that cause this log event. In this case, you need to find all the disable users ,(Msexchuseraccountcontrol= 2) andMsexchmasteraccountsidThis property has no value.

(& (Msexchuseraccountcontrol = 2 )(! Msexchmasteraccountsid = *))

 

The! Operator in conjunction with the wildcard operator will look for objects where that attribute is not set to anything.

Note .! When the operator is connected with a wildcard, it will look for objects whose attributes are not set to any value.

 

Where can I use LDAP for query?

====================

When working with the Exchange server, you may encounter the situation of Using LDAP strings. for example, whenever you set a receiver, mailbox administrator policy, or an address list filter, or when you search for the active directroy directory service, the Exchange server uses LDAP. in the next section, we will discuss some methods you can use LDAP statements:

 

1. Search Using Active Directory users and computers

The following example describes how to use Active Directory users and computers for search:

1. Open Active Directory users and computers (WIN + R, DSA. MSC)

2. Right-click the domain object and selectFind.

3. Click NextFindAnd then selectCustom Search.

4. On the screen below, selectAdvancedTab.

5. InEnter LDAP QueryEnter the appropriate LDAP statement.

 

This example will try to find all objects that meet the following conditions: their title attribute is Prez, or their names start with test. If you clickFind now, You should see the appropriate output results, please refer to the following screenshot:

 

2. Use LDP for search

You can also use LDP for search. This toolkit is included in Microsoft Windows Server 2003 and Windows 2000 server support tools. this tool not only gives you the ability to search for domain iner, but also the ability to search for configuration container. you will first open LDP and connect it to a valid domain controller. then you need to use the appropriate credential to bind. selectView,Then selectTree. KeepBase DNThe column is empty. ClickOK. Navigate to the container you want to search for, right-click container, and selectSearch.

A dialog box will be tanchu, which will containBase DNThe correct value of. Enter the LDAP statement you want to filter. The result will appear as shown in the previous step.

If you want to search all the layers under your current containter, make sure thatSubtreeSelected. ClickRun, It should find all the results that meet the conditions.

 

3. Search by ldifde

You need to query an object set that meets certain conditions, and you want to create a list of these users. ldifde is a command line tool that helps you create such a list. assume that you want to locate and save the list of all users whose mailnickname starts with Jeff. you can run the following command.

C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-R "(& (objectclass = user) (mailnickname = Jeff *))

In this example, you will find three objects, and then output all of them to the output.txt file. if you output results of nearly a thousand users, the output results file will become very large. there is another option. you can use the-l (lower-case l) switch to specify the attributes to be output. distinguished name will always be output, but if you do not want anything else, you can add-l nothing to the end of the string, which will streamline output results. the following is an example:

C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-l nothing-R "(& (objectclass = user) (mailnickname = Jeff *))

Consider that in this case, you want to use the ldifde export referenced earlier, but only want to includeHomemdbAttribute in the output. You must use the following command.

If you want to includeHomemdbAttribute to the result. You need to run the following command:

C: \> ldifde-d "DC = witaylorroot, Dc = com"-f c: \ output.txt-L "homemdb"-R "(& (objectclass = user) (mailnickname = Jeff *))

 

DN: Cn = Jeff, ou = 55 users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com

DN: Cn = jeff2, Cn = users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com

DN: Cn = jeff3, Cn = users, Dc = witaylorroot, Dc = com changetype: Add homemdb: Cn = private information store (witaylornt4ex55), Cn = first storage group, CN = informationstore, Cn = witaylornt4ex55, Cn = servers, Cn = witaylormixedsite, Cn = administrative groups, Cn = witaylororg, Cn = Microsoft Exchange, Cn = Services, Cn = configuration, dc = witaylorroot, Dc = com

If you perform an output operation without specifying the attributes to be output, you will want to use the-n switch to remove the included values under normal circumstances. this helps prevent the output file from becoming too large.

 

4. Use LDAP query in admodify

Note: This tool is not commonly used. It can only be obtained after case, so it will not be translated. It is listed here.

To obtain the admodify tool, contact Microsoft Product Support Services. For more information about how to contact Microsoft Product Support Services, see the Microsoft Help and Support Web site.

To obtain the admodify tool from a third-party web site, see the following gotdotnet Web site: admodify. Net: Workspace home.

Admodify is a tool that Microsoft Product Support Services uses on a daily basis. with large Active Directory environments, it is not always easy to add an entire organizational unit (OU) That cocould have thousands of users in it to the list on the right side, and then parse through all of them to find the users you need to change. there is an alternative. on the first screen, chooseModify existing user attributesAnd clickNext. OnModify Active Directory usersScreen, there isAdvancedButton.

If you clickAdvancedButton,Custom LDAP FilterDialog box appears. in this dialog box, you type the LDAP filter that you want to use. in this example, you only want to list the groups that are mail-enabled. it wowould look like the following.

Next, clickOK. Select the ou or the domain where you want admodify to search. If you want it to look in lower-level containers within the one you selected, make sure to selectTraverse subcontainers when enumerating users. ClickAdd to list, And then clickYesWhen warned about how long it cocould take. The objects that meet the criteria you specified shoshould now appear in the right pane.

From here, highlight the objects that you want to modify, and continue with the Wizard.

 

Translated from:

LDAP query Basics

Http://technet.microsoft.com/en-us/library/aa996205%28EXCHG.65%29.aspx

Link:

Ldifde-export/import data from Active Directory-ldifde commands

Http://support.microsoft.com/kb/555636/en-us