||LDAP Directory Traversal; LDAP Export; Java
The LdapClimb project consists of two programs that can be used to traverse a company reporting structure stored in a LDAP directory
and export the results to a text file.
LdapClimbDown is used to traverse down the company hierarchy starting with a top level manager and working its way down to lowest
level employee. For exmaple, LdapClimbDown can be used to generate a list of all employees that are under the reporting structure of
a particular VP or manager.
LdapClimbUp is used to traverse up the company hierarchy starting a with a specific employee and working its way up to a particular
level manager. For exmaple, LdapClimbUp can be used to generate a list of all managers, and managers' manager that are above the
reporting structure of a particular employee.
Avaya needed to determine which employees in specific organizations had not entered or updated
their profiles in a particular service application. The company employee directory and
reporting structure is stored in a LDAP directory.
To accomplish this, the LdapClimb tools were used to list of all employees that were underneath the reporting
structure of the organization heads to compare against the service application database. The results were easily
compared with the service application database using a simple SQL query. Additionally, the LdapClimbUp tool was
utilized to discover gaps in the reporting structure.
- Java 2 runtime environment (J2SE)
C:\MicroWeb\LdapClimb>java -jar LdapClimbDown.jar <config_file> [<start=value>]
-- or --
C:\MicroWeb\LdapClimb>java -jar LdapClimbUp.jar <config_file> [<start=value>]
The name of the configuration file
Tip: On windows machines use the forward slash character '/' to deliminate folder names if
your configuration file is not in the same folder as the program.
[optional] This option is used to specify the starting point of the directory traversal on the command line overriding the value in the configuration file.
Sample Configuration File
#Ldap fields to export
Configuration File Parameters
[yes|no] : turns debug messages on/off
The name or IP address of the LDAP directory server.
The search base of where to search the LDAP directory server.
The user name required to search the LDAP directory server. If this is blank, an anonymous search will be performed.
The password required to search the LDAP directory server.
The name of the LDAP directory field used to identify an employee record.
Example using employee number: sync.keyfield=employeenumber
The display name you want used for the sync.keyfield output column
The name of the LDAP directory field indicating a parent-to-child relationship to traverse the directory.
Example using employee supervisor: sync.keyparent=supervisorid
The value of the sync.keyfield in the LDAP directory at which to start a search.
Example with employee number 012345678: sync.start=012345678
LdapClimb can export up to 100 ldap field values. N is a number from 0 to 99 that indicates the display label
of the field exported.
Note: The numbers do not need to be in order. For example, to skip the Handle field above,
remove the text after the = character as shown below.
LdapClimb can export up to 100 ldap field values. N is a number from 0 to 99 that indicates the name of the
ldap field to export.