extract ldap data (ADAM)

Hi,
I've done a lot of this type of thing over the years. I've used two tools: csvde (comes with Windows) and adfind (downloadable for free). Both are fairly easy to use with the most time being taken figuring out the precise correct syntax to use. Adfind is head and shoulders better than csvde cause you can better control format of the output and it comes with a **ton** of parameter options. So, using adfind, here's a sample command line to pull some Lawson LDAP data:
adfind -h dclwapp.choa.org -p 389 -b o=lwsn,dc=choa,dc=org -simple -csv -u CN=LDAPadmin -up MYPASSWORD zzlwsnattrLastName zzlwsnattrFirstName > loadusers3.txt
where -h = host; -p = port; -b = Base DN; -u UserDN -up = password and then it sends lastname, firstname to a file, loadusers3.txt.
Let me know if you have questions.
Have fun!
Lenny

any particular site to download this product. i searched thru bing.com and saw a bunch.

www.joeware.net is as good a place as any. And there's tons of help out there for using it. Let me know if you have any questions.

Lenny,
what attrib for SSOP, PRODLINE_EMPLOYEE, PRODLINE_REQUESTER, under Manager Identity. i know firstname/lastname/email and so on sit under Edit RM Information which i can locate them via Resource Schema Editor.

Hi TJ,
Same idea but just different place on the Lawson LDAP tree. You can find this stuff in Jexplorer to see/know where it is and then use adfind to export it. So, for our TDS ldap, here's an adfind query that pulls all SSOP identities and sends them to a text file:
adfind -h dclwapp.choa.org -p 389 -b cn=SSOP,ou=svcxref,o=lwsnsecdata,o=lwsn,dc=choa,dc=org -simple -csv -u CN=LDAPadmin -up ***** lwsnssoListOfIDs > identitySSOP.txt

The two key pieces of information in this quesry are:
Base - That's where in the LDAP the query begins looking for what it's going to export. In the above it's what begins with cn=SSOP... If I would have left out the cn=SSOP, it would have extracted **all** identities (everything within the ou=svcxref tree). That would probably require more formatting once the data is extracted though. Play and you'll understand.
Fields to export = In the above, it's the "lwsnssoListOfIDs". These are the fields that you want to export. You can browse in Jexplorer to see exactly which fields you'd like.

It's a pain at the start to set up but you put it into a batch file and only have to do it once then you have it forever.
Hope this helps.
Lenny

Lenny,

where did you get this word "lwsnssoListOfIDs" from ? i got all syntax from jxplorer fine, but i could not locate this word "lwsnssoListOfIDs". when i do:
adfind -h entadmd1.chop.edu -p 4400 -b CN=SSOP,OU=svcxref,O=lwsnSecData,cn=l wsn,dc=chop,dc=edu -simple -csv -u CN=root,cn=lwsn,dc=chop,dc=edu -up MYPASSWORD lwsnssoListOfIDs > ssop.csv
it shows me all employee#. i checked in LSF manage identity, it should be AD Login (name users, not employee#).

Lenny,

i found another ldap querry program. this one is for AIX, idsldapsearch

i will try to use this one too since my servers are running under AIX6 and 7.

got it. i have to click on users under SSOP to get that infor. check out idsldapsearch on your AIX box. if not, you may need to install it.

Yes, we're actually on AIX7 also. You can use whichever tool works best for you, for sure. Where I got the lwsnssoListOfIDs is in Jexplorer. It's the attribute name (field name) for our RMID (employee#) (In Jexplorer I see it when I'm on an identity and click "Table View"). Your LDAP might look slightly different in terms of field/attribute names and locations. No matter which tool you use though, you'll need to understand base navigation and field/attribute names. Let me know if you'd like to Webex for this sometime. Again, once you figure out yours you'll be amazed at the power you have over this stuff!! Happy to help in any way I can.

since infor that i am looking for is located multiple places under lawSecData, not possible to just dump login, and it gives: firstname, lastname, ssop, employee, email address and so on. worse case, i can dump them, and merge them.

lenny, shoot me your email to mannt@email.chop.edu for contacts.

Correct. At the last place I worked, we actually on a nightly basis exported everything from out Lawson LDAP (ADAM and then TDS) into some custom Lawson Oracle tables (we were Oracle but you could do the same with SQL if that's what you are). Then it's easy to report off them with any tool. That worked slick. It was all automated.

Here where I am now, we use AVAAP's Security Dashboard software which is basically the same thing (every night a dump of the LDAP takes place into Oracle tables) and then they provide a suite of Crystal reports that pulls data just about any way you'd like.

So you can either do it yourself or, if you're rich (ha ha!) you can get something where someone's already done all the work. Let's face it though, it's fun to do the work (if you have evenings and weekends to play!).
Lenny

Depending on what you are after, I may be able to help. I've written several ldap dumping scripts (person's login then what groups they belong to, group headings with all users, etc).
Let me know and I'll see what I can dig up --- Since you mention ADAM, I'm assuming you are on Windows and we are on Unix, so not sure how the scripts would translate... but may get you a hint or two in the proper direction.

Hey Greg, I'd be interested in seeing your scripts, if you are still willing to share?

Sure.

The attached script searches our ldap structure and creates an html file with a group heading, and then all the members of that group, followed by another group heading, etc.

 You may have to modify it slightly depending on your ldapsearch tool and paths.  Feel free.

 

Greg, thanks for you scripts.

FYI - Windows 2008 (AD-LDS) only allows to querry 20,000 users. if you want to inquire 20,000+, your ldapsearch as:
idsldapsearch -h hostname -q 20000 -T 0 -p 389 -b "ou=svcxref,o=lwsnsecdata,cn=lwsn,dc=XXX,dc=XXX" -D "CN=root,cn=lwsn,dc=XXX,dc=XX" -w abc123........