Windows server releases provide 2 builtin LDAP query tools.
These (non-Java based) tools can be used to verify that
the LDAP query yields the desired resultset. If not, then
these tools can be used to build the correct query.
A) AD admin console -
http://blogs.msdn.com/b/muaddib/archive/2006/10/24/active-directory-ldap-searches.aspx
A feature in Windows Server Active Directory is
the admin console's ability to create saved queries.
The tool binds as an "admin" at the domain level.
While the GUI covers simple queries, the "Custom Search"
accepts LDAP filters. With Windows Server 2007 (sp2):
start "Active Directory Users and Computers"
right click on "Saved Queries"
mouseover "New", select "Query"
enter value for "Name" field in "New Query" popup window
click "Define Query"
select "Custom Search" from "Find:" pulldown list
select "Advanced" tab
enter LDAP query (e.g. UAC's PWD Never Expires):
(memberOf=CN=Support,OU=Security Groups,OU=!Common,dc=corp,dc=internal,dc=com)
B) LDP tool - http://support.microsoft.com/?id=255602
LDP is a Lightweight Directory Access Protocol (LDAP)
client utility that is included with Microsoft Windows.
The LDP tool is in the Windows Support Tools. If this
tool is not installed, then install it from the Microsoft
Windows CD-ROM. The file path is: Support\Tools\Setup.exe.
run "LDP"
click "Connection"
enter Server name
localhost
click OK
(note server DSE info in log window)
click "Connection" (again)
click "Bind"
select "Bind with credentials"
enter values for "User","Password" fields
cn=Sailpoint, ou=Accounts, ou=!Common, dc=corp, dc=internal, dc=com
click "OK"
(note authenticated msg in log window)
click "Browse"
click "Search"
enter value for "Base DN:" field (or select from pulldown menu)
dc=internal, dc=com
enter value for "Filter:" field (or select from pulldown menu)
(memberOf=CN=Support,OU=Security Groups,OU=!Common,dc=corp,dc=internal,dc=com)
select "Subtree" for Scope
click "Run"
(note query results in log window)
