Skip navigation
All People > SungHoon_Kim > Sung Hoon Kim's Blog > 2016 > March > 23

When you create an LDAP userstore definition in AdminUI, there is a button to "View Contents".

What ldap query does it actually send?

It will make the following queries which I put in to a batch script.

So, simply by running the script(with little modification to match your env) you will get the same content.

 

The blue colour below are what you need to modify to match your configuration.

The red colour and the queries made by the "View Contents" button.

This script only displays the count of entries from each query but if you want to view the actual content you can remove the "|findstr matches" from each query line.

 

viewcontent.bat

@echo off

 

 

SET ADMIN_NAME=CN=diradmin,CN=Admins,CN=Configuration,CN={3CCD2B77-4A30-48ED-A244-10295CDF5E63}

SET ADMIN_PWD=DefaultP@ssw0rd

SET SERVER_NAME=localhost

SET SERVER_PORT=389

SET SEARCH_BASE="DC=SSO,DC=LAB"

SET SEARCH_TIMELIMIT=30

SET MAX_HOPS=10

SET SEARCH_SIZELIMIT=-1

SET SEARCH_SCOPE=sub

 

 

 

 

 

 

echo =====================================================================

echo.

echo Connecting to %SERVER_NAME%:%SERVER_PORT%

echo BaseDN: %SEARCH_BASE%

echo SEARCH TIMEOUT: %SEARCH_TIMELIMIT% sec

echo SEARCH SIZE LIMIT: %SEARCH_SIZELIMIT%

echo SEARCH SCOPE: %SEARCH_SCOPE%

echo MAX HOP: %MAX_HOPS%

echo.

echo =====================================================================

echo       View Content of LDAP userdirectory using objectClass

echo =====================================================================

echo Searching for (objectclass=organization)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=organization) |findstr matches

echo =====================================================================

echo Searching for (objectclass=organizationalunit)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=organizationalunit) |findstr matches

echo =====================================================================

echo Searching for (objectclass=groupOfNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=groupOfNames)  |findstr matches

echo =====================================================================

echo Searching for (objectclass=groupOfUniqueNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=groupOfUniqueNames)  |findstr matches

echo =====================================================================

echo Searching for (objectclass=group)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=group)  |findstr matches

 

 

echo =====================================================================

echo       View Content of LDAP userdirectory using objectCategory

echo =====================================================================

echo Searching for (objectcategory=organization)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=organization)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=organizationalunit)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=organizationalunit)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=groupOfNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=groupOfNames)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=groupOfUniqueNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=groupOfUniqueNames)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=group)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=group)  |findstr matches

 

 

 

pause

 

The other 5 queries I put in the script is using "objectCategory" instead of "objectClass".

In case if you enabled "EnableObjectCategory=1" registry on your Policy Server, it will actually use objectCategory.

This is useful when you are using AD userstore because objectclass is not indexed by default but objectCategory is.

So, the query can get response quicker.

The 5 objectCategory searches are added for your reference in case if your AD is actually slowing down.

Running this script will allow you to compare the response time.

While trying to reproduce customer's issues, at times we need to create a userstore and populate lots of users, groups, OUs and etc.

In order to make things easier, I did have to write a script to perform this and also remove them when needed.

 

In the following sample, this script will create users under "OU=People,DC=SSO,DC=LAB".

You need to ensure this OU exist before running the script.

 

CreateUsers_adlds.vbs

Const SERVER = "localhost:389"

Const ROOT = "OU=People,dc=SSO,dc=LAB"

LDAPPATH = "LDAP://" & SERVER

WScript.Echo "Connecting to ADAM instance..."

set oTopContainer = GetObject(LDAPPATH & "/" & ROOT)

WScript.Echo "LDAP Server: " &LDAPPATH & newLine

 

 

 

 

Const ADS_PROPERTY_APPEND = 3

Dim objRoot, objDomain, objOU, objOUsub, objGroup, objUser

Dim ouNo, groupNo, userNo, ouSubNo

Dim defaultPassword

defaultPassword = "defaultP@ssw0rd"

Dim ouCounter

ouCounter = 0

Dim ouSubCounter

ouSubCounter = 0

Dim groupCounter

groupCounter = 0

Dim userCounter

userCounter = 0

 

 

 

 

set objDomain = oTopContainer

WScript.Echo "Click to start creating Users"

 

 

For ouNo = 1 To 100

On Error Resume Next

Set objOU=objDomain.Create("organizationalUnit", "OU=OU" & ouNo)

objOU.Put "Description", "Sample Users for OU" & ouNo

objOU.SetInfo

ouCounter = ouCounter +1

 

 

    For groupNo = 1 To 100

    On Error Resume Next

    Set objGroup = objOU.Create("Group", "cn=OU" & ouNo & "Group" & groupNo)

    objGroup.Put "CN", "OU" & ouNo & "Group" & groupNo

    objGroup.SetInfo

    groupCounter = groupCounter +1

        For userNo = 1 To 100

        On Error Resume Next

        Set objUser = objOU.Create("User", "cn=" & "OU" & ouNo & "Group" & groupNo & "User" & userNo)

        objUser.Put "CN", "OU" & ouNo & "Group" & groupNo & "User" & userNo

        objUser.Put "sn", "OU" & ouNo & "Group" & groupNo

        objUser.Put "givenName", "User" & userNo

        objUser.Put "name", "OU" & ouNo & "Group" & groupNo & "User" & userNo

        objUser.Put "msDS-UserAccountDisabled", "FALSE"

        objUser.SetInfo

        userCounter = userCounter +1

 

 

        objUser.SetPassword defaultPassword

        objUser.AccountDisabled = False

        objUser.SetInfo

 

 

        objGroup.PutEx ADS_PROPERTY_APPEND, "member", _   

        Array("cn=" & "OU" & ouNo & "Group" & groupNo & "User" & userNo & ",OU=OU" & ouNo & "," & objRoot.Get("defaultNamingContext"))

        objGroup.SetInfo

        Next

    Next

Next

WScript.Echo ouCounter & " OUs Created. " & groupCounter & " groups created with total of " & userCounter & " users."

 

DeleteUsers_adlds.vbs

Const SERVER = "localhost:389"

Const ROOT = "OU=People,DC=SSO,DC=LAB"

LDAPPATH = "LDAP://" & SERVER

WScript.Echo "Connecting to ADAM instance..."

set oTopContainer = GetObject(LDAPPATH & "/" & ROOT)

WScript.Echo "LDAP Server: " &LDAPPATH & newLine

 

 

 

 

 

 

'Option Explicit

Const ADS_PROPERTY_APPEND = 3

Dim objRoot, objDomain, objOU, objOUsub, objGroup, objUser

Dim ouNo, groupNo, userNo, ouSubNo

 

Dim ouCounter

ouCounter = 0

Dim groupCounter

groupCounter = 0

Dim userCounter

userCounter = 0

Dim ouBaseName

ouBaseName = "OU"

 

 

 

 

set objDomain = oTopContainer

WScript.Echo "Click to start deleting Users"

 

 

For ouNo = 1 To 100

On Error Resume Next

Set objOU=GetObject(LDAPPATH & "/" & "OU=" & ouBaseName & ouNo & "," & ROOT)

 

 

    For groupNo = 1 To 100

    On Error Resume Next

        For userNo = 1 To 100

        On Error Resume Next

        objOU.Delete "User", "cn=" & ouBaseName & ouNo & "Group" & groupNo & "User" & userNo

        userCounter = userCounter +1

        Next

    objOU.Delete "Group", "cn=" & ouBaseName & ouNo & "Group" & groupNo

    groupCounter = groupCounter +1

    Next

 

 

objDomain.Delete "OrganizationalUnit", "OU=" & ouBaseName & ouNo

ouCounter = ouCounter +1

Next

 

 

WScript.Echo ouCounter & " OUs, " & groupCounter & " groups and " & userCounter & " users removed."

 

Hope it helps.