How to integrate hp OpenView Service Desk with Microsoft Active Directory

Transcription

1 How to integrate hp OpenView Service Desk with Microsoft Active Directory Copyright 2004 Page 1 of 26

2 Table of Contents Introduction 3 What is Active Directory 4 Installing Active Directory... 5 Working with LDAP. 10 Service Desk and LDAP.17 Appendix.. 25 Reference Materials 26 Copyright 2004 Page 2 of 26

3 Introduction What s LDAP? In the following chapters the integration between Service Desk and Windows Active Directory via LDAP is explained. LDAP, Lightweight Directory Access Protocol, is an Internet protocol that programs use to look up contact information from a server. LDAP was designed at the University of Michigan to adapt a complex enterprise directory system (called X.500) to the modern Internet. A directory server runs on a host computer on the Internet, and various client programs that understand the protocol can log into the server and look up entries. LDAP is based on the standards contained within the X.500 standard, but is significantly simpler. And unlike X.500, LDAP supports TCP/IP, which is necessary for any type of Internet access. Because it is a simpler version of X.500, LDAP is sometimes called X.500-lite. LDAP clients can ask LDAP servers to look up entries in a wide variety of ways. LDAP servers index all the data in their entries and "filters" may be used to select just the person or group desired, and return just the needed information. An LDAP-aware client is most likely already installed on the computer. Most modern clients are set up to search an LDAP directory for addresses. These include Outlook, Eudora or Netscape. Software companies such as Microsoft, IBM, Lotus, and Netscape agreed to support a standard called LDAP. It defines a standard method for accessing and updating information contained in a directory. What s the relation with hp OpenView Service Desk? The LDAP integration makes it possible to import information contained in an LDAP directory to hp OpenView Service Desk. Directories are often used to store data related to objects, administrative details for a person, for example. The person object will include additional attributes, for example an address, phone number and address. Data Exchange can be used to connect to a directory using an LDAP server and export data specified in the configurable extractor. The data can then be imported into Service Desk based on the import mapping specified. The integration can be set up to work just like any other data exchange batch import. The only difference is that an LDAP connection is made instead of an ODBC connection. The LDAP integration with hp OpenView Service Desk is working with all directory vendors, but this document explains the functionality on Windows Active Directory, the most popular one. Copyright 2004 Page 3 of 26

4 What is Active Directory Active Directory explained A Windows domain is a logical grouping of network computers that share a central directory database. A directory database contains user accounts and security information for the domain. This directory database is known as the directory and is the database portion of Active Directory. In a domain, the directory resides on computers that are configured as domain controllers. A domain controller is a server that manages all security-related aspects of user-domain interactions. When a user logs on to a computer in the domain, a domain controller checks the directory for the user name, password, and logon restrictions to authenticate the user. Active Directory supports LDAP version 2 (RFC 1777) and version 3 (RFC 2251). Service Desk clients that have the Active Directory components installed (via the jndi.zip and the ldap.zip files in the \lib folder) use LDAP version 3 to connect to the Active Directory. The resources stored in the directory are known as objects. An object is a distinct named set of attributes that represents a network resource. Object attributes are characteristics of objects in the directory. For example, the attributes of a user account might include the user's first and last names, department, and address. The core unit of logical structure in Active Directory is the domain, which can store the objects. In Active Directory one can organize objects in classes. Every object in Active Directory is an instance of an object class. Examples of object classes are those representing user accounts, computers or organizational units (OU s). Active Directory is primarily a namespace. A namespace is an area in which a name can be resolved. The Active Directory namespace is based on the DNS naming scheme and it uses DNS as its domain naming. Every object in Active Directory has a distinguished name (DN) that uniquely identifies an object. The DN includes the name of the domain that holds the object, as well as the complete path through the hierarchy to the object. Copyright 2004 Page 4 of 26

5 Installing Active Directory Installing Active Directory via dcpromo Before implementing Active Directory, examine the organization's business structure and operations and plan the domain structure, domain namespace and an OU structure. Create a hierarchy of OU s in a domain and there are no restrictions on the depth of the OU hierarchy, but a not complicated hierarchy performs better than a deep one. To launch the Active Directory Installation Wizard, run Configure Your Server on the Administrative Tools menu of the Start menu, or run DCPROMO from the command prompt. These two methods will run the Active Directory Installation Wizard and help guide the process of installing Active Directory on the computer and creating a new domain controller. As Active Directory is installed, choose whether to add the new domain controller to an existing domain or create the first domain controller for a new domain. Active Directory uses DNS as its location service, enabling computers to find the location of domain controllers. To find a domain controller in a particular domain, a client queries DNS for resource records that provide the names and IP addresses of the Lightweight Directory Access Protocol (LDAP) servers for the domain. LDAP is the protocol used to query and update Active Directory, and all domain controllers run the LDAP service. Active Directory cannot be installed without having DNS on the network, because Active Directory uses DNS as its location service. However, DNS can be installed separately without Active Directory. Installing Active Directory creates the database and database log files, as well as the shared system volume. The default location for the database and database log files is C:\WINDOWS\NTDS The default location for the shared system volume is C:\WINDOWS\SYSVOL There are two domain modes: mixed mode and native mode. Mixed mode allows the domain controller to interact with any domain controllers in the domain. When not planning to add any more domain controllers to the domain switch the domain from mixed mode to native mode. During the DCPROMO wizard there will be a prompt to install and configure a DNS if this did not exist yet. Also, it is necessary to type the password to be assigned to this server's Administrator account in the event the computer is started in Directory Services Restore mode. Copyright 2004 Page 5 of 26

6 Active Directory and DNS To test a working DNS click Start, point to Programs, point to Administrative Tools, and then click DNS. The DNS console appears. In the DNS console tree, right-click the name of the server, then click Properties. Click the Monitoring tab. Under Select a Test Type, select the Simple Query Against This DNS Server check box and the Recursive Query To Other DNS Servers check box, then click Test Now. On the Properties dialog box, under Test Results, one should see PASS in the Simple Query and Recursive Query columns. For more information how to install and configure a DNS server, please go to In this Microsoft Knowledge Base article with number is also explained how to configure a Forward Lookup Zone and a Reverse Lookup Zone in the DNS. Testing a working DNS with nslookup When wanting to check if the DNS is working properly, use the NSLOOKUP command. It is possible if one goes into the NSLOOKUP program, that it immediately gives an error message such as: 1. *** Can't find Server name for address... Non-existent domain *** Default servers are not available Default Server: Unknown Then a common problem is experienced caused by an improperly configured reverse arpa (inaddr.arpa) zone. When the NSLOOKUP program starts it goes to the TCP/IP configuration for the system on which it is running. From the configuration it determines the IP address of the DNS server that the system is configured to use. The NSLOOKUP does a reverse lookup using the IP address of the DNS server and tries to determine the name of the server. If the reverse arpa zone for that IP address is not set up correctly, then NSLOOKUP cannot determine the name associated with that IP address, and it displays the error message given above. To fix this problem, properly configure the reverse arpa zone for the IP address of the DNS server, and make sure that the reverse arpa is properly delegated to the server. Please go to the Microsoft link mentioned above to fix this. Copyright 2004 Page 6 of 26

7 2. *** Can't find server name for address w.x.y.z : Timed out NOTE : w.x.y.z is the first DNS server listed in the DNS Service Search Order list. *** Can't find server name for address : Timed out The first error indicates that the DNS server cannot be reached or the service is not running on that computer. To correct this problem, either start the DNS service on that server or check for possible connectivity problems. The second error indicates that no servers have been defined in the DNS Service Search Order list. To correct this problem, add the IP address of a valid DNS server to this list. 3. *** Can't find server name for address w.x.y.z: Non-existent domain This error occurs when there is no PTR record for the name server's IP address. When nslookup.exe starts, it does a reverse lookup to get the name of the default server. If no PTR data exists, this error message is returned. To correct the error, make sure that a reverse lookup zone exists and contains PTR records for the name servers. Administration of Active Directory with mmc Administration of Windows 2000 and Active Directory is done with the Microsoft Management Console (MMC). Running the MMC console (via the Command Prompt type mmc ) allows management of the Active Directory. Go to File and Add/Remove Snap-In and here add the following components which are important for managing the Active Directory. MMC is an umbrella application that offers a consistent look and feel. Modules--so-called SnapIns-- are used to handle specific tasks. For the management of Active Directory the following SnapIns are available: Users and Computers to manage organizational units and accounts for computers and users. With Sites and Services the administrator can create sites and define which IP subnets should belong to them. Extensions to Active Directory's schema can be made with the Schema SnapIn. The Domains and Trust SnapIn is used to manually establish trust relationships between. ADSI Edit is a low-level tool for Active Directory. Unlike the other SnapIns it does not offer dialogues that present attributes in context, but rather provides a complete listing of attributes and their values for a given entry, thereby giving access to attributes that are otherwise hidden. The Group Policy SnapIn is used to manage Group Policy Objects Copyright 2004 Page 7 of 26

8 Creating Organizational Units Use the Active Directory Users and Computers console to create OU s. 1. Click the desired location to create this OU, either a domain or another OU. 2. On the Action menu, point to New, and then click Organizational Unit. 3. In the New Object-Organizational Unit dialog box, in the Name box, type the name of the new OU, then click OK. Modify the Active Directory schema Use the Active Directory Schema console to modify the schema delivered with the installation of the Active Directory. The Active Directory Schema snap-in allows schema administrators to manage the Active Directory schema by creating and modifying classes and attributes, and specifying which attributes are indexed and which attributes are to be catalogued in the global catalog. Administrators will not perform schema management tasks on a frequent basis, and they should take some care when modifying the schema. Management of the schema is restricted to a group of administrators called schema administrators. Copyright 2004 Page 8 of 26

9 Here one can also create new objects and relate them to classes and create new classes and relate these classes to other existing classes. This chapter does not cover the administering of the Active Directory, but what is changed here, will show up in the LDAP browser. So it is important which data is visible in the LDAP browser, because that is the data that can be extracted and imported into hp OpenView Service Desk. When the Schema tree is expanded, the objects that make up the classes and attributes of the schema can be seen. Double-click to see the properties for one of these objects. One must be a member of the Schema Admin group to modify any part of the schema. By default, the Administrator account is a member of this group Do not make changes to the schema unless very familiar with its structure and what needs to be accomplished. New schema objects cannot be deleted. Changes to existing objects can cause problems that could force reinstalling Active Directory from scratch or recovering from a backup tape. What s a global catalog For a proper functioning Active Directory a global catalog is needed. A global catalog is the central repository of information about objects in a tree or forest. It is created automatically on the initial domain controller in the forest and is called the global catalog server. Place at least one domain controller in every site, and make at least one domain controller in each site a global catalog. Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for Active Directory information and are less efficient. Clients must have access to a global catalog to log on, so there should be at least one global catalog in every site to receive the benefits of containing network traffic provided by using sites. The global catalog stores and replicates the schema information and is in fact a subset of the properties for all directory objects in the forest. To open Active Directory Sites and Services, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. To enable or disable a global catalog 1. Open Active Directory Sites and Services 2. In the console tree, double-click the domain controller hosting the global catalog. 3. Right-click NTDS settings, and then click Properties. 4. Select the global catalog check box. Do not enable this option unless certain it will provide value in the deployment. For this option to be useful, the deployment must have multiple domains, and even then, only one global catalog is typically useful in each site. Copyright 2004 Page 9 of 26

10 Working with LDAP LDAP directory model The Lightweight Directory Access Protocol is nothing more than a communication protocol. As previously seen, the LDAP standard mediates communication between client and server and does nothing else. Note that LDAP is a standard and is not a program or software one can buy. The LDAP directory service model is based on entries. An entry is a collection of attributes that has a name, called a distinguished name (DN). The DN is used to refer to the entry unambiguously. Each of the entry's attributes has a type and one or more values. In LDAP, directory entries are arranged in a hierarchical tree-like structure that reflects political, geographic and/or organizational boundaries. Entries representing countries appear on top of the tree. Below them are entries representing states or national organizations. Further down there might be entries representing people, organizational units, printers, documents, or just about anything else one can think of. In addition, LDAP allows control of which attributes are required and allowed in an entry through the use of a special attribute called objectclass. Using an LDAP browser Use an LDAP browser to see the contents of for example the Active Directory. This document is based on the use of the Softerra LDAP browser version which is a freeware tool. Go to to download the newest version. Above, the LDAP browser GUI can be seen, without connections to LDAP servers. Copyright 2004 Page 10 of 26

11 How to create a new profile Right-clicking the Browser root will allow the creation of a new profile called TEST. A profile was created based on a new domain called OVSOSD on a PDC where the Active Directory was installed. The following fields are important: Host - specifies IP address or DNS name of the destination LDAP server Port - a TCP/IP port used to connect to the destination LDAP server. o For regular connections (non-secured) o For secured connections (SSL) Protocol version - specifies the version of protocol to be used to perform all operations with the server. The version can be either 2 or 3. Version 2 is deprecated and has to be used only to connect to old LDAP servers, such as UMICH and OpenLDAP 1.X. In most cases the version should be 3. Base DN - the 'root' point to bind to the server. In case with LDAPv3 servers this field can be left empty to connect to the server RootDSE. DSE means DSA-specific Entry where DSA is an X.500 term for the directory server. Fetch DN s - usually LDAPv3 servers publish their list of the top level contexts available. To get this list, just press the button. Note: If connected to an LDAPv2 server, know the naming context to bind to. Anonymous bind - check this box in order to connect to a server anonymously. In User DN, either fill in the whole hierarchical row, such as: CN=Administrator,CN=Users,DC=OVSOSD,DC=neth,DC=hp,DC=com or OVSOSD\Administrator. Under Server Properties>> LDAP Settings>>Displayed Attributes, only the attributes one wants to see can be chosen. Here one can fill in an objectclass with the related attributes. As explained, classes and attributes can be adjusted via the schema browser in the MMC console. Copyright 2004 Page 11 of 26

12 Active Directory structure When creating a profile, a Base DN like DC=OVSOSD,DC=neth,DC=hp,DC=com can be filled in, so the browser looks like: In fact the name TEST has now the meaning of DC=OVSOSD,DC=neth,DC=hp,DC=com. One can also create a profile leaving the Base DN empty and then the browser looks like: Now the name TEST is just a profile name and the DNS namespace is just one level lower. But DC=OVSOSD,DC=neth,DC=hp,DC=com is still the BaseDN. Copyright 2004 Page 12 of 26

13 TEST is the rootdse and is defined as the root of the directory data tree on a directory server. The rootdse is not part of any namespace. The purpose of the rootdse is to provide data about the directory server. So: TEST RootDSE Information about the directory server like settings, port OVSOSD BaseDN Root point to connect to the server NOTE: If connecting to an Active Directory server anonymously, the server will only allow browsing the server RootDSE. It will not be possible to perform any directory browsing untill an authorized connection is made. When looking at DC=OVSOSD,DC=neth,DC=hp,DC=com, DC means the forest root and is the distinguished name of the forest root domain. In Active Directory the attribute type called DC is used automatically when creating a new profile. Find the following attribute types in Active Directory: DC OU CN domaincomponent organizationalunitname commonname These entries can also be created via MMC>>Users and Computers. Copyright 2004 Page 13 of 26

14 In the LDAP browser it can be seen that the new entries are created as OU and CN entries. Each CN entry has its own object classes. Created under OU=Test Organization for example CN=User called test and this entry has type user. Automatically it has the objectclasses top, person, organizationalperson and user as defined in the schema. Automatically it has the objectclasses top, person, organizationalperson and user as defined in the schema. When one goes to the Active Directory schema and looks at, for example, class person and see the properties, then it is possible to find out what the related classes are and the mandatory and optional attributes. Copyright 2004 Page 14 of 26

15 Below are some screenshots from the properties of the class called person: The following four attributes MUST be present in all subschema entries: CN: this attribute MUST be used to form the RDN of the subschema entry. objectclass: the attribute MUST have at least the values "top" and "subschema". objectclasses: each value of this attribute specifies an object class known to the server. attributetypes: each value of this attribute specifies an attribute type known to the server. Copyright 2004 Page 15 of 26

16 Above one can see how it looks like via the LDAP browser. Each entry MUST have an objectclass attribute. The objectclass attribute specifies the object classes of an entry, which along with the system and user schema determine the permitted attributes of an entry. Values of this attribute may be modified by clients, but the objectclass attribute cannot be removed. Servers may restrict the modifications of this attribute to prevent the basic structural class of the entry from being changed. When creating an entry or adding an objectclass value to an entry, all superclasses of the named classes are implicitly added as well, if not already present, and the client must supply values for any mandatory attributes of new superclasses. Copyright 2004 Page 16 of 26

17 Service Desk and LDAP The ini file Directories are often used to store data related to objects, administrative details for a person, for example. The person object will include additional attributes, for example an address, phone number and address. Directories are designed so that a user can easily search for information using a variety of criteria. Data Exchange can be used to connect to a directory using an LDAP server and export data specified in the configurable extractor. The data can then be imported into Service Desk based on the import mapping specified. To change data in an LDAP directory the change must be made in that directory and not in Service Desk. The integration can be set up to work just like any other data exchange batch import. The only difference is that an LDAP connection is made instead of an ODBC connection. The sd_export program can export data from both an LDAP server or ODBC. The.ini files used for the two types of connections are different. The Extraction Configuration Wizard provided for Data Exchange is not compatible with the LDAP.ini files. The wizard can only be used with ODBC based.ini files at this time. The INI file explained: [CONNECTION] TYPE=LDAP [LDAP] SERVER=xxxxx.neth.hp.com PORT=389 PRINCIPAL=OVSOSD\Administrator AUTHENTICATION=SIMPLE CREDENTIALS=xxxxx [SYSTEM] LOG=TRUE XML=TRUE LOG_FILE=ldap_test.log XML_OUTPUT_FILE=ldap_test.xml APPLICATION_NAME =ldap.ini ENCODING=UTF-8 [CLASSES] NAME=USERS [USERS] SOURCE=CN=Administrator,CN=Users,DC=OVSOSD,DC=neth,DC=hp,DC=com COLUMNS=[name],[cn],[description] ATT=[name], [cn],[description] SEARCHSCOPE=SUBTREE_SCOPE CONDITION=(cn=*) Copyright 2004 Page 17 of 26

18 Explanation for the different expressions: TYPE SERVER PORT PRINCIPAL AUTHENTICATION CREDENTIALS LOG XML LOG_FILE XML_OUTPUT_FILE APPLICATION_NAME ENCODING NAME SOURCE Enter LDAP as protocol name Enter IP address from server or fully qualified domain name 389 for non-secure connection or 639 for secure SSL connection Enter the distinguished name like CN=Administrator,CN=Users,DC=OVSOSD,DC=neth,DC=hp, DC=com or domain account like OVSOSD\Administrator. This account should be part of the domain wanting to extract data from. NONE when using no authentication ( anonymous) or SIMPLE when weak authentication ( so clear-text password)or SASL (how the LDAP connection will be secured by SSL and authenticated with Kerberos 5 via SASL is explained in RFC 2251.). Default is NONE. Enter the password here from the principal user Generate log file. Default FALSE Generate XML file. Default FALSE Name of logfile Name of XML file Name used in XML header The used character set when converting data to the XML file Enter a class section for each class to be exported. Class names can be defined by oneself. These class names will be used in the import mapping. Under each class section enter the SOURCE database the class data needs to be exported from. For example: when wanting to export the values name, cn and description from the Administrator account from domain OVSOSD.neth.hp.com, then the SOURCE is CN=Administrator,CN=Users,DC=OVSOSD,DC=neth, DC=hp,DC=com SEARCHSCOPE MOST IMPORTANT THING!! The start point of a search is defined by the SOURCE. If one enters ONELEVEL_SCOPE, then it will fetch all the data going one entry lower, so only the children of the search target. Enter SUBTREE_SCOPE, to return all elements, including those that appear in subtrees. With OBJECT_SCOPE, only search the object itself. Copyright 2004 Page 18 of 26

19 SEARCHSCOPE explained So if a ONELEVEL_SCOPE has been defined: [TEST] SOURCE=OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com COLUMNS=[Name], [distinguishedname],[samaccountname] ATT=[Name], [distinguishedname],[samaccountname] SEARCHSCOPE=ONELEVEL_SCOPE Then the output will be: LDAP.XML CLASS ATTRIBUTES Header TEST Application VALUES ldap.ini Date 25/03/2004 Name ID 1 OVNL202 distinguishedname CN=OVNL202,OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com samaccountname OVNL202$ Copyright 2004 Page 19 of 26

20 But when defining a SUBTREE_SCOPE: [TEST] SOURCE=OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com COLUMNS=[Name], [distinguishedname],[samaccountname] ATT=[Name], [distinguishedname],[samaccountname] SEARCHSCOPE=SUBTREE_SCOPE Then fetch the data from the whole subtree LDAP.XML CLASS ATTRIBUTES Header TEST TEST TEST TEST TEST Application VALUES ldap.ini Date 25/03/2004 Name ID 1 Domain Controllers distinguishedname OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com samaccountname NULL Name ID 2 OVNL202 distinguishedname CN=OVNL202,OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com samaccountname OVNL202$ Name ID 3 distinguishedname RID Set samaccountname NULL Name ID 4 distinguishedname samaccountname NULL Name ID 5 distinguishedname samaccountname NULL CN=RID Set,CN=OVNL202,OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com NTFRS Subscriptions CN=NTFRS Subscriptions,CN=OVNL202,OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com Domain System Volume (SYSVOL share) CN=Domain System Volume (SYSVOL share),cn=ntfrs Subscriptions,CN=OVNL202,OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com Copyright 2004 Page 20 of 26

21 CONDITION explained When building in the following condition CONDITION=(objectclass=organizationalPerson), [TEST] SOURCE=OU=Domain Controllers,DC=OVSOSD,DC=neth,DC=hp,DC=com COLUMNS=[Name], [distinguishedname],[samaccountname] ATT=[Name], [distinguishedname],[samaccountname] SEARCHSCOPE=SUBTREE_SCOPE CONDITION=(objectclass=organizationalPerson) only the data as in the first XML output will be received, because CN s Domain Controllers, RID set, NTFRS Subscriptions and Domain System Volume have no objectclass called organizationalperson. Copyright 2004 Page 21 of 26

22 Using CONDITION and SEARCHSCOPE is in fact the same as using the Directory Search Tool in the LDAP browser. Here the Search DN can be narrowed down and a Filter (acting like the CONDITION parameter) used to reduce the resulting data one would like to see back. An example: Search DN is a starting point of searching the LDAP directory connected to. When the Directory Search window is opened, the Search DN is set up automatically to exactly match the one of an entry currently selected in the left-hand side TreeView panel. Filter defines the rule for entry search. By default, the search filter is "(objectclass=*)" and it means that the search will be done through all the available entries. Attributes is the field where the attribute types one is interested in can be specified. They need to be comma-separated. For example, cn, sn, mail, telephonenumber. Search scope is used to define the scope of the search. Use One level to search within one level of Search DN sub-entries only, and Sub-tree to search within ALL entries located under the Search DN. Copyright 2004 Page 22 of 26

23 Import mapping The following step is to create an Import Mapping, this is easiest to do after the.ini file has been configured and the data exported to an XML file successfully. The property names and values in the XML file need to be mapped to class names, attributes and values in Service Desk. Here is another ini example: [TEST] SOURCE=CN=Users,DC=OVSOSD,DC=neth,DC=hp,DC=com COLUMNS=[Name],[distinguishedName],[sAMAccountName],[userPrincipalName] ATT=[Name],[distinguishedName],[sAMAccountName],[userPrincipalName] SEARCHSCOPE=SUBTREE_SCOPE CONDITION=(objectclass=organizationalPerson) CONDITION=(cn=Test) The XML looks like: LDAP.XML CLASS ATTRIBUTES VALUES Application Header ldap.ini Date 25/03/2004 Name Test ID 1 TEST distinguishedname CN=Test,CN=Users,DC=OVSOSD,DC=neth,DC=hp,DC=com samaccountname test userprincipalname test@ovsosd.neth.hp.com The import mapping: Copyright 2004 Page 23 of 26

24 And finally the record: Copyright 2004 Page 24 of 26

25 APPENDIX An LDAP error occurs during data-exchange when trying to export more records in a single query than the amount set in the 'Value limit' field in Active Directory. The following message is received: ERRORCODE 4 SIZE LIMIT EXCEEDED. The default value in the Value Limit field is The following HOWTO explains how to use the ntdsutil application from Microsoft to change the system parameters in the Active Directory HOW TO: View and Set Lightweight Directory Access Protocol Policies by Using Ntdsutil.exe in Windows 2000: Starting Ntdsutil.exe Ntdsutil.exe is located in the Support tools folder on the Windows 2000 installation CD-ROM. Ntdsutil.exe is installed in the System32 folder by default. 1. Click Start, and then click Run. 2. In the Open text box, type ntdsutil, and then press ENTER. To view help at any time, type? at the command prompt. Modifying Policy Settings 1. At the Ntdsutil.exe command prompt, type LDAP policies, and then press ENTER. At the LDAP policy command prompt, type Set setting to variable, and then press ENTER. For example, type Set MaxPageSize to This setting changes if another processor is added to the server. 2. Use the Show Values command to verify changes. To save the changes, use Commit Changes. 3. When finished, type q, and then press ENTER. 4. To quit Ntdsutil.exe, at the command prompt, type q, and then press ENTER. Some LDAP administration limits (with defaults in parentheses) are: MaxConnections - Maximum number of open connections (5,000). MaxConnIdleTime - Maximum amount of time a connection can be idle (900 seconds). MaxPageSize - Maximum page size that is supported for LDAP responses (1,000 records). MaxQueryDuration - Maximum length of time the domain controller can execute a query (120 seconds). MaxPoolThreads - Maximum number of threads that are created by the DC for query execution (4 for each processor). Copyright 2004 Page 25 of 26

26 Reference materials and e Care Documents OV-EN LDAP SIZE LIMIT ERROR OV-EN How to dump user information from directory through LDAP hp OpenView Service Desk 4.5 Data Exchange Guide chapter Integrating with LDAP The ABCs of LDAP: How to Install, Run, and Administer LDAP Services by Reinhard Voglmaier ISBN: Windows 2000 Active Directory Black Book by Adam Wood ISBN: Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. Copyright 2004 Page 26 of 26