SungHoon_Kim

User Directory "View Contents" button

Blog Post created by SungHoon_Kim Employee on Mar 23, 2016

When you create an LDAP userstore definition in AdminUI, there is a button to "View Contents".

What ldap query does it actually send?

It will make the following queries which I put in to a batch script.

So, simply by running the script(with little modification to match your env) you will get the same content.

 

The blue colour below are what you need to modify to match your configuration.

The red colour and the queries made by the "View Contents" button.

This script only displays the count of entries from each query but if you want to view the actual content you can remove the "|findstr matches" from each query line.

 

viewcontent.bat

@echo off

 

 

SET ADMIN_NAME=CN=diradmin,CN=Admins,CN=Configuration,CN={3CCD2B77-4A30-48ED-A244-10295CDF5E63}

SET ADMIN_PWD=DefaultP@ssw0rd

SET SERVER_NAME=localhost

SET SERVER_PORT=389

SET SEARCH_BASE="DC=SSO,DC=LAB"

SET SEARCH_TIMELIMIT=30

SET MAX_HOPS=10

SET SEARCH_SIZELIMIT=-1

SET SEARCH_SCOPE=sub

 

 

 

 

 

 

echo =====================================================================

echo.

echo Connecting to %SERVER_NAME%:%SERVER_PORT%

echo BaseDN: %SEARCH_BASE%

echo SEARCH TIMEOUT: %SEARCH_TIMELIMIT% sec

echo SEARCH SIZE LIMIT: %SEARCH_SIZELIMIT%

echo SEARCH SCOPE: %SEARCH_SCOPE%

echo MAX HOP: %MAX_HOPS%

echo.

echo =====================================================================

echo       View Content of LDAP userdirectory using objectClass

echo =====================================================================

echo Searching for (objectclass=organization)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=organization) |findstr matches

echo =====================================================================

echo Searching for (objectclass=organizationalunit)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=organizationalunit) |findstr matches

echo =====================================================================

echo Searching for (objectclass=groupOfNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=groupOfNames)  |findstr matches

echo =====================================================================

echo Searching for (objectclass=groupOfUniqueNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=groupOfUniqueNames)  |findstr matches

echo =====================================================================

echo Searching for (objectclass=group)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectclass=group)  |findstr matches

 

 

echo =====================================================================

echo       View Content of LDAP userdirectory using objectCategory

echo =====================================================================

echo Searching for (objectcategory=organization)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=organization)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=organizationalunit)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=organizationalunit)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=groupOfNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=groupOfNames)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=groupOfUniqueNames)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=groupOfUniqueNames)  |findstr matches

echo =====================================================================

echo Searching for (objectcategory=group)

ldapsearch -b %SEARCH_BASE% -h %SERVER_NAME% -p %SERVER_PORT% -D %ADMIN_NAME% -w %ADMIN_PWD% -O %MAX_HOPS% -l %SEARCH_TIMELIMIT% -z %SEARCH_SIZELIMIT% -s %SEARCH_SCOPE% -v (objectcategory=group)  |findstr matches

 

 

 

pause

 

The other 5 queries I put in the script is using "objectCategory" instead of "objectClass".

In case if you enabled "EnableObjectCategory=1" registry on your Policy Server, it will actually use objectCategory.

This is useful when you are using AD userstore because objectclass is not indexed by default but objectCategory is.

So, the query can get response quicker.

The 5 objectCategory searches are added for your reference in case if your AD is actually slowing down.

Running this script will allow you to compare the response time.

Outcomes