FAQ

By default, LDAP Administrator uses the local application data folder to store its configuration files, like metabase and schema cache. Such behavior can cause problems for those using roaming profiles in their network.

• Open registry editor (Start->Run->regedit.exe)
• Navigate to or create registry key
  • HKEY_LOCAL_MACHINE\SOFTWARE\Softerra\LDAP Administrator 3\Settings - for version 3.x
  • HKEY_LOCAL_MACHINE\SOFTWARE\Softerra\LDAP Administrator 4 - for version 2008.x/2009.x (aka 4.x)
• Create a non-zero DWORD value here called EnableApplicationDataRoaming

You can use the HKEY_CURRENT_USER registry hive as well if you want to change the location of application data files only for specific users. In case both registry entries are used, the value from HKEY_LOCAL_MACHINE has a priority over the value from HKEY_CURRENT_USER.

Where does the application store my profiles?

How can I copy or back up my profiles?

Do I need to back up my profiles when reinstalling LDAP Administrator?

Softerra LDAP Administrator 2.X and Softerra LDAP Browser 2.X store profiles in the registry under the [1] and [2] registry keys respectively. Softerra LDAP Administrator 3.X keeps them in a file called metabase.stg, which is located in the application’s configuration folder [3].

You can copy or back up your version 2.X profiles using the Windows Registry Editor tool. To copy version 3.X profiles, just copy the metabase.stg file from [3]. Note: this file is not human readable, so it can't be read or manually edited. To copy your profiles from one workstation to another, just copy the existing metabase.stg file into the appropriate folder on the target workstation.

You don't need to back up/restore your profiles when reinstalling Softerra LDAP Administrator because they do not get removed during the uninstallation.

1. HKEY_CURRENT_USER\Software\Softerra\LDAP Administrator
2. HKEY_CURRENT_USER\Software\Softerra\LDAP Browser
3. C:\Documents and Settings\%LOGINGUSERNAME%\Local Settings\Application Data\Softerra\LDAP Administrator 3\

At some moment LDAP Browser experiences a considerable slowdown, so you have to wait 2-3 seconds before it adds a new node into the left-hand side tree view panel.

Incorrect DNS setting or complete absence of DNS.

Change your DNS settings so that the client and server hosts have both direct and reverse resolving via DNS enabled. Another possible solution could be adding required records to the hosts (lmhosts) file.

An error occurs while attempting to install LDAP Browser/LDAP Administrator and the installation process is abandoned.

The reason for the above is usually one of the following:

• The installation package has been corrupted/damaged during download.
• You are not duly authorized to install the applications to your system.
• Your hard drive has run out of free space or your disk quota is exceeded.
• You don't have permissions to write to the application destination folder.

• To make sure the installation package is not damaged, you need to check its MD5 hash sum. To calculate MD5/SHA1 hash, you can use one of the free hash calculators available. After getting the package's MD5/SHA1 hash sum, you then need to compare it to the original one provided at the download page. If MD5/SHA1 hash differs in any way, this means that the package is corrupted and has to be downloaded anew. Please note that the damaged package might have been cached by your proxy servers chain or by your web browser local cache, so it's strongly recommended you disable your proxy and clear the browser cache before a repeat file download.
• Make sure you are duly authorized to install applications and to write to the filesystem.
• Check if your hard drive has enough free disk space. Perform a temporary directory cleaup, if necessary. It's recommended you have at least 20 Mb free disk space of the destination drive to ensure successful installation.

This article concerns LDAP Administrator versions 2.x or LDAP Browser versions 2.x. Having an LDAP server profile created with the SSL configuration enabled, you still can't connect to the server. As a result, "[error 81] Can't contact LDAP server" is displayed.

This kind of behaviour occurs due to the absence of necessary SSL certificates in the certificate database, or the absence of the certificate database itself. This certificate database is required for an LDAP client library to establish the SSL connection.

You should create and populate a certificate database containing the necessary certificates manually.To do this, please follow the procedure below:

• Download and install the Netscape web browser version 4.x. Note that it's vital to use version 4.x - later version like 5+ or Firefox use newer certificate store format which is incompatible with the version used by LDAP Browser 2.x.
• Run the Netscape browser.
• Open URL: https://yourserver:sslport/, where:
  • yourserver - Your LDAP server address, provided it is an IP or host name. For example: 192.168.234.33 or ldap.mycompany.com.
  • sslport - A TCPIP port number used by your server to accept SSL connections. Usually his port number is 636.
• You'll see the Netscape Certificate Name Check window. Follow the instructions provided there and accept the server certificate for this and future sessions.
• Close the Netscape browser
• Copy the key3.db and cert7.db files from the Netscape user profile directory to the LDAP Administrator or LDAP Browser root directory.
• Restart LDAP Administrator or LDAP Browser.
• Open the server profile.
• Change Port number at the General tab. Press Apply.
• Check the Try to use SSL box at the LDAP Settings tab. Press Apply.
• Press OK.

I have found a problem/a bug. Where can I report it to?
I'd like to make a suggestion. Who can I send it to?
I've come across a problem and can't find a solution. What do I do?

If you have found a problem or a bug, please send us a report. Try to include as much hardware (CPU, RAM, Motherboard, Video) and software (OS version, Service pack, Internet Explorer version, MS Office version, LDAP Administrator version) information of yours as possible along with the description/instructions to help us reproduce the problem.

To send a bug report or a suggestion, you can use the built-in functionality of LDAP Administrator or LDAP Browser. Open the Help menu and choose the Bug report or the Suggestion menu item featured therein.If you come across a problem, first please look through the FAQ section hereof for the solution, or consult help supplied with the application. In case you are still unable to cope with the problem, please do not hesitate to email us. We'll do our best to help.

LDAP Administrator 2008.x or 3.x

When you connect to the Active Directory server using LDAP Administrator 2008 or 3.x expanding a first level node cases Operations Error with message The operation being requested was not performed because the user has not been authenticated or Invalid Credentials with The logon attempt failed.

LDAP Browser 2.x

When you connect to the Active Directory server using LDAP Browser 2.x, in the Output window or the messages.log file you'll see the following lines

Successfully connected to adserver.company.tld
Schema cache does not exist or expired. Fetching new one...
AttributeTypes:       Total: 0 Invalid: 0 Duplicated: 0
LDAPObjectClasses:     Total: 0 Invalid: 0 Duplicated: 0
MatchingRules:        Total: 0 Invalid: 0 Duplicated: 0

... with no entries available for browsing or search except the RootDSE entry. The absence of schema can create problems while trying to browse directories or to view binary attributes in particular.

You may experience such a behaviour when you connect to the Active Directory server anonymously or use invalid credentials. Windows logon name notion if often confused with the notion of LDAP DN. The former one could not be used to Active Directory authentication.

Unless specially configured, it is imperative you provide valid credentials for connecting to the Active Directory server.

To edit your credentials, open Server Profile Properties. Choose the Credentials tab and enter the proper user name and password into the corresponding input boxes. Generally, the Active Directory credentials have the following format: CN=Windows_User_Name,CN=Users,DC=company_name,DC=domain. For example: CN=John Smith,CN=Users,DC=example,DC=com. It's also possible to use the Kerberos principal name. For example: johns@example.com.

If you use LDAP Administrator 3.3 or later you may opt for using Currently logged on user checkbox and do not type any credentials information at all.

What is the difference between LDAP Administrator and LDAP Browser?
Which product should I use?
Which one better meets my needs?

When a container consists of thousands of entries, its opening takes too much time before all the subentries are displayed.

Generally speaking, getting a thousand entries or more is not a fast operation because of the amount of data to be transferred. Besides, LDAP Administrator and LDAP Browser have certain tricks to ensure a better appearance in process of the smaller and mid-sized directory browsing. But if you surf through heavily stuffed LDAP directories, such tricks can slow the overall application performance down considerably.

To improve on the performance of LDAP Administrator/LDAP Browser, open the Tools menu and choose the Options menu item. In the dialog displayed click the Interface tab. Uncheck the Fetch subentries upon item selection and the Force to display the entry fetched last checkboxes featured thereon.

I've got the "Ordinal 6567 could not be located in MFC42U.DLL" error. What went wrong?

While trying to start LDAP Administrator or LDAP Browser, the Ordinal 6567 could not be located in MFC42U.DLL error was displayed.

The problem occurred due to you having an invalid version of MFC42U.DLL installed. What LDAP Administrator requires is the MFC42U.DLL version supplied with Visual C++ v.6.0. So most probably you've got an older version installed on your system, perhaps the one supplied with Visual C++ v.5 or v.4.2.

We suggest you obtain a valid version of MFC42U.DLL. For example, you can get your copy from a PC where the application is working fine or from a Visual C++ 6.0 CD-ROM.

After one connects to an OpenLDAP server and attempts to add, modify or delete an attribute, Error 18 (incorrect matching) is displayed.

An EQUALITY matching rule specifier missing in some attribute type definitions of the OpenLDAP schema. EQUALITY matchingrule is used by the server to perform value comparison and thus is expressly required for the mentioned operations. The absence of EQUALITY matchingrule makes it impossible to compare attribute values, which causes operation failure.

Open the attribute schema definition and add an EQUALITY matching rule specifier which best fits a particular attribute type.

While browsing or searching through a directory, you are unable to get all of the subentries or search results and the "[error 4] sizelimit exceeded" message is displayed. Every time you are getting just a limited number of entries (e.g. 1000) returned.

Such a behavior may occur due to either of the two possible reasons, or both:

• Profile settings. An LDAP Administrator profile you have created for the server has settings which are responsible for the request timeout and the search result size limit. Those restrictions are sent to the server with each request and if the size limit is less than the number of subentries in a certain entry, the application won't be able to get all of them.
• LDAP Server settings. An LDAP server can be configured to return a certain number of entries that is not greater than the one defined. This can be done by modifying the server configuration files or the source code prior to compilation. In most cases such a configuration is made in order to optimize server load and prevent hacker attacks.

• VLV or Simple Paging. Starting from version 3, LDAP Administrator features the Simple Paging and Virtual List View support. Their respective use is only limited to whether your server supports this kind of operations. To learn more on the above, please consult the application Help: Help->LDAP Administrator Help->Browsing Directory->Managing Large Amounts of Entries.
• Profile settings. To edit a server property, select a server item in the left-hand side tree view panel and press the Properties button on the toolbar or press Alt-Enter. Then select the "LDAP Settings" tab, where the Entry count limit input will be displayed. Enter a new value better meeting your requirements. A Zero for this parameter means that the server is asked to return all the entries found in process of search.

• LDAP Server settings. There isn't a universal way of solving this problem, for it depends on a number of reasons: what kind of server you are working with, whom the server belongs to, whether or not you enjoy administrator rights and physical access to the server. If your server is absent in the list of solutions recommended for well-known servers, we suggest you ask your system administrator or consult the server documentation.

  Workaround for well-known servers

  • Microsoft Active Directory. By default, Microsoft Active Directory which is a part of Windows 2000 Server, allows fetching only 1000 entries per one search request. In terms of this system such a restriction is called MaxPageSize. This parameter can be changed using the ntdsutil.exe file which is a command line tool supplied with Windows 2000 Server. Another way to change this parameter is to edit it directly inside the CN=Default Query Policy, CN=Query-Policies, CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=YOUR_COMPANY, DC=YOUR_COMPANY_TLD entry by using LDAP Administrator. In both cases you must have administrator rights.
  • OpenLDAP. The time limit for the OpenLDAP server can be changed in the config file (which can usually be found at /etc/openldap/slapd.conf). The parameter is called sizelimit. For more information please consult the slapd.conf Manual page or the OpenLDAP documentation.