LDAPAdminDownload now


LDAP Admin: Introduction

How to use it

There is no need for installation, Ldap Admin runs out of the box on NT4, Windows 2000, Windows 2003 or Windows XP computers. Just download executable and start it. Open connections window and right-click to invoke popup menu. Create the new connection and you're ready to go.

Ldap Admin saves connection profiles including login credentials in the Windows registry. Note that the connection credentials will not be encrypted (sorry, that's coming too). However, Ldap Admin will save connection properties in your user registry key, in this way they are protected through privacy of your Windows account.

Managing accounts

If you intend to use Ldap Admin to manage Posix or Samba accounts then you should note that Ldap Admin creates Posix accounts based on the inetOrgPerson object class as opposed to the account class used by some other tools. This has advantage of being able to attach more basic data to the account such as the last or display name, as well as most of the fields found on business and private tabs inside the user properties dialog. But this also means that Ldap Admin may or may not be able to manage accounts created by other means and vice versa, accounts created with Ldap Admin may or may not be editable using other tools. Converting from one of those 'simple' accounts to Ldap Admin account should be fairly simple and it may be addressed in future releases as automatic feature (basically we just have to replace account class with inetOrgPerson class).

To provide for easier account creation Ldap Admin lets you provide some account defaults, so once connected you should set the preferences for the connection. You can set preferred options such as default username, server, home share etc. Once you create new user, those defaults will be used to automatically fill in corresponding account properties. Ldap Admin supports some parameters which are helpful for better customizing of default fields. For instance, if you defined server NETBIOS name then you can use parameter %n as a placeholder for NETBIOS server name in other fields. One parameter always corresponds to one field in the property dialog:

    %f - First name
    %F - Initial letter of first name
    %l - Last name
    %L - Initial letter of last name
    %u - User name
    %n - NETBIOS Server name

For example, if you wanted to create account for user John Doe and you defined default username to be %f.%l, NETBIOS server name to be MYSERV and home share as \\%n\homes\%u then, after you've filled in corresponding fields inside user properties dialog, username and server share fields would be automatically set to john.doe and \\MYSERV\homes\john.doe respectively.

Here are some settings which I find to be useful:

    Username: %f.%l
    Display name: %f, %l or %l, %f if you're in Europe
    Home directory: /home/%u
    Login shell: /bin/false if you're using only SAMBA
    Group: set this to DN of default user group
    Netbios name: set this to your NETBIOS server name
    Domain name: Set this to be the default Samba domain name
    Home share: \\%n\homes
    Home drive: H:
    Script: %u.cmd if each user is to have different start script
    Profile path: \\%n\profiles\%u
    Default Mail Adress:%u@yourdomain.com
    Default Maildrop: %u@whereyourmaildropis.com
Even better, simply use Profile wizard that can be invoked by using Create default... button on the preference dialog!

A note on LDAP encoding

According to RFC 4514 some characters must be escaped when used in string representation of a DN. LdapAdmin automatically decodes strings returned from the server providing you with a user-friendly string. It also takes a burden of escaping the required characters from you by automatically encoding the strings on input. This can be safely done whenever you are required to enter portions of a DN, such as a user name or a value of a naming attribute when moving or renaming entries. However, when you input whole DN's it may not always be clear which characters are to be escaped if (although highly improbable) DN names are containing equality or comma characters. For this reason, it is advisable that you use browse buttons whenever they are available. Nonetheless, sometimes you may want to input the DN yourself. In this case LdapAdmin assumes every character on the right side of equality sign and all consecutive commas except last comma before next equality sign to be part of the value. You can override the automatic encoding by prefixing the string with @ character, in which case you will have to encode the string yourself. Furthermore, if you're a hardcore admin and prefer to work with raw LDAP strings you can turn the automatic encoding/decoding completely off in program options in which case LdapAdmin does no additional processing and displays encoded strings as they are passed over by LDAP server.

SAMBA Support

Ldap Admin automatically detects presence of Samba v3 domains in the directory and provides support for Samba 3v accounts if such were detected. It does so by searching the LDAP directory for Samba specific domain entries identified by object class sambaDomain. It uses those entries to read configuration parameters such as domain name, domain SID and algorithmic RID base.

You should make sure that those entries exist and are correctly initialized. Note that, in my experience Samba 3 server doesn't create those entries upon its first start as one would expected, but just after it's been accessed for the first time (simple smbclient -L should suffice)!

Also, it seems that Samba, once it created those entries doesn't bother to keep them up to date - changing of algorithmic rid base parameter in Samba configuration file for example, doesn't reflect in LDAP directory after server is restarted. If you change this parameter you will have to adjust its LDAP attribute manually (hope Samba developers will fix this soon).


You can use LDAP Admin as is, out of the box. To be able to use LDAP Admin to it's full extent however, you will have to extend your LDAP directory schema.


To my best knowledge, there is no such thing as common Postfix schema. All that you have are default attributes used by some Postfix options such as maildrop or mail address, but those are not directly compatible with any mailing client known to me. Luckily, you can configure every parameter to be what you want it to be, so I chose to use schema that should be compatible with most mailing clients (here I mean especially use of 'mail' attribute instead of 'mailacceptinggeneralid' as defined by default Postfix settings). You can download schema here. Also, here is example of (working) main.cf configuration file.

To activate e-mail support, just activate checkbox Mail account in properties window of the given account. You can then define maildrop for this account as well as arbitrary number of e-mail addresses. All those addresses will be redirected to maildrop address, which should be address of mailbox for the account (if Postfix is configured as in example above).

Mailing lists and transport tables are supported as well, you may add or edit them via main or popup menu.

Copyright (C) 2012 Tihomir Karlovic & www.ldapadmin.org. All rights reserved.   Design by Alexander Sokoloff. Impressum
LDAP Admin