You use the -l parameter followed by a comma-delimited list of attributes to specify which attributes Ldifde outputs for each object. For example, type
ldifde -l "displayName,
physicalDeliveryOfficeName"
to output the display name and office for each user, as Figure 2 shows.
If you're new to LDAP queries, see the Web-exclusive sidebar "LDAP Filters" (http://www.winnetmag.com, InstantDoc ID 38949) for more information about how to structure your queries. If you're unsure of the exact name of an attribute or class name that you want to filter, you can use the Microsoft Management Console (MMC) Active Directory Schema snap-in or export an OU that contains the object you need to work with, then examine the LDIF file. If the attribute in question doesn't appear in that object's record, simply edit the object in AD, set a value for the attribute, and export the OU again. For example, when you edit a user object in the MMC Active Directory Users and Computers snap-in, you'll see an Office field on the user's General tab, as Figure 3 shows. To determine the LDAP attribute name for that field in AD, you can enter a value for the office attribute, then use Ldifde to export the object. The LDAP attribute name will appear in the LDIF file after the physicalDeliveryOfficeName attribute name.
Although the LDIF file format doesn't lend itself to importing AD data into a database for query or reporting purposes, Microsoft provides another utility, Csvde, that accepts the same parameters as Ldifde but outputs data in CSV format. For example, executing the command
csvde -f monterey.LDIF -d "ou=Monterey,DC=ad,dc=local" -l "displayName,physicalDeliveryOffice
Name" -r "(objectClass=User)"
produces the same data as Ldifde, but each record now comprises one line of comma-delimited values, as Figure 4 shows. Note that the first line of Csvde-generated files lists the attribute names, which Access and Excel will correctly interpret as column headings.
Working with Text and Nontext Data Types
If you use Ldifde simply to export and import data between LDAP directories, you won't encounter any data-type problems. However, if you use Ldifde or Csvde to export data for reporting purposes or you want to build your own LDIF files for automated changes to AD, you might run into problems with certain attributes. For reporting or automating changes to AD, Ldifde and Csvde work best with text attributes, as opposed to nontext data types such as date and binary. You might be surprised to discover that one attribute in AD can comprise several fields in the Active Directory Users and Computers snap-in. For example, one integer attribute called userAccountControl contains several account options, as Figure 5 shows. Different bits of the userAccountControl integer correspond to check boxes in account options. With no account options set, the decimal value for userAccountControl is 512; the decimal value for a disabled account and no other account options set is 514. For details about interpreting and manipulating userAccountControl, see the Microsoft article "How to Use the UserAccountControl Flags to Manipulate User Account Properties" (http://support.microsoft.com/?kbid=305144). Dates are also problematic because AD represents them as the number of seconds elapsed since 00:00:00, January 1, 1970, in the format of yyyymmddhhmmss.mmmmmm. Also, remember that some AD attributes are multivalued, including group membership lists and phone numbers. In LDIF files, multivalue attributes produce a separate line for each attribute value. When Csvde outputs a multivalue attribute, the utility delimits each value by a semicolon, then surrounds all the values with a set of quotation marks so that the program reading the CSV-formatted file will interpret the list of values as one attribute.
Register
