Active Directory LDAP/LDS Extraction Tool

DISCLAIMER: This Import tool is only intended for the Technical Audiences who have sound knowledge or familiarity of the Active Directory in their organization. This application needs to be run on the computer that is a member of Active directory and the application must be started by a user that is currently logged into the same current active directory domain. Both the computer and the user account needs to be a member of active directory domain otherwise this application will not work.

This topic explains the steps to Import Customer, Employee using Wasp Directory LDAP/LDS Extraction tool.

1. Generating Public API token:  Select User > Users. The View Users screen will appear. Click on the First Name of the user. The First Name is a Link in the View Users screen and it will navigate to View/ Edit User screen. Click on the Generate Token button. The token will get downloaded. Either copy the token from the screen or copy from the downloaded file.

Note: The token can only be generated by the user with an Administrative role.

2. Open the Wasp Utility Config file. Make the following changes:

• PublicApiToken - Replace and paste the new token.

Note: When editing the .ini file to add the Token and make any other changes, we highly recommend Notepad++ or similar. Under most current versions of Windows 'normal' users will not have sufficient the access rights to modify the .ini file directly. Notepad++ is a very safe and reliable way to edit this file.

• PublicApiBaseAddress - Paste the URL of  the InventoryCloud application, from where the token is generated.

• A message will appear indicating the user to switch to Administrator mode. Click on the Yes button.

3. Select the Wasp Extraction Tool and Run the application. The Wasp Active Directory Extraction Tool will appear.

• If NO user principal or user domain could be determined based on current login (note the extract button will be disabled):

• We can also manually try it by specifying the domain controller, domain user, and password, but there is very little chance that it will work. The usual response is “The Server is not operational”. This ideal scenario would be when the user’s credentials and current security principal is determined automatically as shown below

• By default, the LDAP starting path, the LDAP current user and password can be left blank. For advanced users, this can be changed. The default password is left blank since the application will use the current network login’s user credentials.
• Staff /Employee - Import staff or employees. This button  will load the LDAP QUERY stored in the application config file and click on the “Extract” button to begin extracting Active Directory patterns for employees/staffs using the LDAP query (or queries) being displayed.
• Student /Customer - Import customers/students from LDAP. The Students button will do the same, but will load the LDAP queries defined by the string in the configuration file.
• API Synch - By default, the API synch checkbox will be checked. When it is checked, the Extract button will produce CSV file, and also perform Public API call to synchronize the LDAP records to the [employee/staff] or [customer/student] tables in the API back end. If this checkbox is cleared, then no API will be invoked and only the CSV file will be produced.
• The CSV output file is treated as a read-only field where the excel (CSV) file will be produced.

4. If the computer and the user account are not the member of active directory domain, this application will not work.

So make sure that this application should be run on the computer that is a member of Active directory and the application must be started by a user that is currently logged into the same current active directory domain. Both the computer and the user account needs to be a member of active directory domain so as to make this application work.

Application Config file (Configuration /AppSettings)

PublicApiToke - Refer Generating Public API Token section on how to generate a public API token.

PublicApiBaseAddress - This should be http://hostname:#### or https://hostname:#### where the public API server is hosted.

PublicApiTimeoutSeconds - This indicates API Token time. The default value is 10 minutes (600 seconds).

LoggerDirectory: Log files are created in the LoggerDirectory.If the path does not exist, the application will create it. This should point to a path/drive where the application has access to. Note the use of environmental variables is allowed here. Example - %ProgramData% (by default, this is c:\programData).

CsvFileOutputDirectory - The Active Directory extraction tool always store the LDAP records into a directory. This needs to be the name of the output directory and not a file name.

PublicApiRecordsPerBatch: the # of LDAP records to batch per API call. The default value is 400 i.e.it push 400 LDAP records at a time. Note that large values (approx. 1000) could cause buffering and serialization delays, as well as excessive memory or bandwidth.

LDAPFieldNameToApiFieldNameMapping - This maps LDAP property values to standard field names expected by the API. For example, the standard api field ‘FirstName’ is mapped using the LDAP property ‘gn’, with a fallback value in the field ‘givenName’. This kind of mapping is required since not all LDAP server implementations store the same information under the same name. for example, Wasp Barcode uses ‘givenName’ and ‘sn’ but not ‘gn’ and ‘surName’.

The order of “FALLBACK” is dependent on the order of appearance.

LDAPPropertiesToLoad -  By default, the known ‘standard’ as well as quasi-standard LDAP field names are requested from the LDAP server. The user is free to add additional fields, separated by commas.

LDAPSortOptionPropertyName - By default, request that the LDAP server sort by SamAccountName when returning the records.

LDAPFilterEmployeesOrStaffMembers - This is the basic template for querying employees/staff members. Each LDAP administrator is expected to know the exact values.

LDAPFilterCustomersOrStudents - This is the basic template for querying students or customers of an educational institution. This will vary from business to business. Note that wasp barcode technologies do not have the concept of STUDENTS.

Command line parameters

If the first command line parameter contains the string “customer” or “student” then students/customers will be extracted and synchronized using the public API.

Likewise, if the first command line parameter contains the string “employee” or “staff” then employees/staffs will be extracted and synchronized using the public API.

Likewise, if the first command line parameter contains the patterns from both sets, then the LDAP extraction tool will synchronize both students/customers and employees/staffs.

Resources (LDAP Queries)

https://ldapwiki.com/wiki/LDAP

https://ldapwiki.com/wiki/LDAP%20Result%20Codes

What are the LDAP query fragments

we want users, and things such as computers will not be included:

(objectClass=user)     (objectCategory=person)

We DO NOT want fictitious user logins: eg the default local admin for each windows laptop:

(!(samAccountType=805306369))   

We only want accounts where the bit flag 0x000002 is NOT SET (eg, active records that are NOT deactivated):

(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))

LDAP queries DO NOT support the NOT EQUAL operator. So to say Field <> SomeValue, do this: (!(Field=SomeValue))

LDAP queries are joined using this syntax:

(some condition) or (some other condition) or (another condition), use the pipe:

(| ((some condition) (some other condition) (another condition)    ))

Joining using logical AND should use & instead of the pipe.

LDAP also supports bit and:

(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))