Exporting the LDAP Database Listing

When configuring DiveLine to use LDAP authentication, it is useful to have a database listing to ensure that the names given to DiveLine match those in the LDAP configuration. The database contents can be exported in LDAP Interchange Format (LDIF) by using the LDIFDE utility as follows:

  • Start a Command Prompt on the server.
  • Run the ldifde -f output.ldf file.
  • The output.ldf file contains all the objects in the LDAP configuration, separated by blank lines. Each object begins with the Distinguished Name (dn); this is considered the primary name for the object and has a form similar to:
    • dn: cn=Users,dc=jsmith-001
  • Notice that the names for objects contain the local domain.
  • When authenticating user “John Smith”, DiveLine connects to the server at dimins.com, and then searches the users under cn=Users,dc=jsmith-001 for a user with a common name (cn) of “John Smith”. If it is preferred that the user log in to DiveLine with a short name (jsmith), then pick another attribute (for example, sAMAccountName) that contains this value, for example:
    • ldap://jsmith-001:389/cn=Users,dc=dimins,dc=com?sAMAccountName?sub?objectClass=user
  • The LDIF dump should indicate what the values for various attributes are.
  • By not specifying a port, the example URL above uses the default port 389. If this is not the port in use, the URL should take the general form:
    • ldap://<server>:<port>/<dn>?<attribute>?<scope>?<filter>
  • DiveLine can connect to only one LDAP directory server. If that directory server has been set up to switch to a standby computer server, DiveLine accepts the returned URL and searches the new directory server.
  • If the Active Domain administrator has set up Organization Units, users may be in a different part of the hierarchy based on their organization unit. This displays in the LDIF dump. In this case, the username might have an “OU” attribute giving the organization unit. For example:
  • cn=John Smith,OU=Documentation,dc=dimins,dc=com
  • To only search users in the Administration organizational unit, give that as the base DN in the URL:
  • ldap://jsmith-001:389/ou=Administration,dc=dimins,dc=com?cn?sub?objectClass=user

When using LDAP, please note the following:

  • URLs should be entered without spaces or line breaks.
  • LDAP Group attributes are not recognized as Groups in DiveLine. Groups in DiveLine are established using Workbench.
  • DiveLine LDAP authentication requires challenging the user credentials. Single sign-on is possible only with DiveLine Web Server authentication. See Configuring LDAPS.