Ldifde

The trickiest setup I've done involved single signon into a "double-hop" kerberos configuration. While recently troubleshooting one of these setups I rediscovered a great little tool by the name of ldifde (LDAP Data Interchange Format). This is windows 2000 server tool that comes with the resource tools kit. The main purpose of ldifde is to act as a generic ldap migration tool and is included with windows for to allow an admin to import and export active directory data. The tool has another use though, its a great way to query active directory for SPNs. SPN's do not show up in the standard AD browsing interface and are generally manipulated using the setspn tool (also included in the windows resource toolkit). This works fairly well untill you want to find out what user has an SPN instead of which SPNs a user has. Setspn doesn't have any way to reverse lookup - this is where ldifde comes in.

In my case I was setting up a kerberos "double-hop" configuration where the user logs into a web application and then accesses data on a seperate sql server. This is a very tricky setup to begin with (see http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerbdel.mspx for a more detailed discription) and one of the possible pitfalls is having duplicate SPNs assgined. If two different users have the same SPN, the system won't work because SPNs must be unique to ensure proper communication. Ldifde can easily tell us if this is a problem.

In order to see all the SPNs on the domain assigned to an a server named myServer on mydomain.com:
ldifde -f ldifdeoutput.txt -l serviceprincipalname -r "(serviceprincipalname=*/myServer.mydomain.com)"

In order to see all the SPNs on the domain assigned to an MSSQL Service:
ldifde -f ldifdeoutput.txt -l serviceprincipalname -r "(serviceprincipalname=MSSQLSvc/*)"

where -f is the output file in your home directory, -l is what LDAP field to query for, and -r is the LDAP search string.

Below is the entire man page for ldifde:

General Parameters
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to
-c FromDN ToDN Replace occurrences of FromDN to ToDN
-v Turn on Verbose Mode
-j Log File Location
-t Port Number (default = 389)
-? Help

Export Specific Parameters
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an LDAP
search.
-o list List of attributes (comma separated) to omit from input
-g Disable Paged Search
-m Enable the SAM logic on export
-n Do not export binary values

Import Specific Parameter
-k The import will go on ignoring 'Constraint Violation' and 'Object
Already Exists' errors

Credentials Parameters
-a Sets the command to run using the supplied user distinguished name
and password. For example: "cn=yourname,dc=yourcompany,dc-com
password"
-b Sets the command to run as username domain password. The default is
to run using the credentials of the currently logged on user.