1Net::LDAP::FAQ(3) User Contributed Perl Documentation Net::LDAP::FAQ(3)
2
3
4
6 Net::LDAP::FAQ - Frequently Asked Questions about Net::LDAP
7
9 perldoc Net::LDAP::FAQ
10
12 This document serves to answer the most frequently asked questions on
13 both the perl-ldap Mailing List and those sent to Graham Barr.
14
15 The latest version of this FAQ can be found at
16
17 http://ldap.perl.org/FAQ.html
18
20 What is perl-ldap?
21 perl-ldap is the distribution name. The perl-ldap distribution contains
22 the Net::LDAP modules.
23
24 Why another Perl LDAP implementation?
25 perl-ldap's goal is to be as portable as possible. It does this by
26 being implemented completely in Perl. So basically anywhere that Perl
27 runs perl-ldap will run. This is not true for other implementations
28 which require a C compiler.
29
30 Where can I get it?
31 Perl-ldap is available from CPAN. You can find the released versions
32 at:
33
34 http://search.cpan.org/dist/perl-ldap/
35
36 Is there a web page for perl-ldap?
37 Yes there is at http://ldap.perl.org/
38
39 Is there a mailing list?
40 Yes there is at perl-ldap@perl.org
41
42 You can subscribe to this list by mailing perl-ldap-subscribe@perl.org
43
44 Is the mailing list archived?
45 Yes, at http://nntp.perl.org/group/perl.ldap
46
47 Archives with messages before we switched to using perl.org can be
48 found at
49
50 http://marc.theaimsgroup.com/?l=perl-ldap-dev
51
52 There is also an archive of the perl-ldap mailing list at
53
54 http://www.xray.mpe.mpg.de/mailing-lists/perl-ldap/
55
56 which also has messages from before the move.
57
58 Is there any online documentation?
59 Yes. perl-ldap has online documentation at
60
61 http://ldap.perl.org/
62
63 which will have the latest documentation available.
64
65 Is there a public repository?
66 Yes, there is a public Git repository at
67
68 https://github.com/perl-ldap/perl-ldap
69
70 Can I get perl-ldap from the public Git repository?
71 Yes, anyone can pull perl-ldap from the public Git repository on
72 GitHub.
73
74 There are several ways this can be done - see below.
75
76 CPAN
77 You can download it from CPAN by following the "Download" link on:
78
79 http://search.cpan.org/dist/perl-ldap/
80
81 Example;
82
83 http://search.cpan.org/CPAN/authors/id/M/MA/MARSCHAP/perl-ldap-0.54.tar.gz
84
85 Git - fork on GitHub
86 If you have an account on GitHub (there's a free variant), you can
87 easily fork the perl-ldap repository on GitHub. When logged on to
88 GitHub, navigate to the perl-ldap repository
89
90 https://github.com/perl-ldap/perl-ldap
91
92 and simply click on the "Fork" button near the top-right corner.
93
94 Git - clone repository
95 You can download latest development version of perl-ldap from
96 GitHub by cloning the repository using the command:
97
98 git clone https://github.com/perl-ldap/perl-ldap.git
99
100 This command will create a directory named 'perl-ldap' in your
101 current directory containing a local clone of the repository.
102
103 Keeping your local repository in sync with perl-ldap's GitHub
104 repository is easy:
105
106 cd perl-ldap
107 git pull
108
109 Web page
110 Most of the time there is a URL link on the perl-ldap home page on
111 ldap.perl.org that points to the latest released version of perl-
112 ldap. Due to the fact that humans must update the web page to
113 point to a new release it sometimes does not get updated as quickly
114 as it should.
115
116 What is Git?
117 Git (see http://git-scm.com) is a distributed version control system
118 designed to keep track of source changes made by groups of developers
119 working on the same files, allowing them to stay in sync with each
120 other as each individual chooses.
121
123 In order to help the user understand the perl-ldap module better some
124 key LDAP terminology is defined here.
125
126 What is a directory?
127 A directory is a special purpose hierarchical database that usually
128 contains typed information such as text strings, binary data, or X.509
129 certificates.
130
131 What is LDAP?
132 LDAP stands for Lightweight Directory Access Protocol. The word
133 Protocol is the key word in the definition given in the preceding
134 sentence, LDAP is NOT hardware or software. It is a protocol that
135 defines how a client and server will communicate with one another.
136
137 The Lightweight Directory Access Protocol is defined in a series of
138 Requests For Comments, better known as RFCs. The RFCs can be found on
139 the Internet at http://www.ietf.org/ (the master repository) and many
140 other places. There's a link to all the LDAP-related RFCs at perl-
141 ldap's web site, http://ldap.perl.org/rfc.html. Some of the more
142 important RFC numbers are RFC 4510 - 4519 for LDAP (previously called
143 LDAPv3) and the historic RFC 1777 for LDAPv2.
144
145 What is a LDAP Directory?
146 In the strictest terms of the definition there is no such thing as a
147 LDAP directory. To be practical about this situation every day
148 directory professionals refer to their directory as " a LDAP directory"
149 because it is easy to say and it does convey the type of protocol used
150 to communicate with their directory. Using this definition a LDAP
151 directory is a directory whose server software conforms to the
152 Lightweight Directory Access Protocol when communicating with a client.
153
154 What is an Entry?
155 The traditional directory definition of a directory object is called an
156 Entry. Entries are composed of attributes that contain the information
157 to be recorded about the object.
158
159 (An entry in LDAP is somewhat analogous to a record in a table in an
160 SQL database, but don't get too hung up about this analogy!)
161
162 Entries are held in an upside-down tree structure. Entries can
163 therefore contain subordinate entries, and entries must have one direct
164 superior entry.
165
166 Entries with subordinate entries are called 'non-leaf' entries.
167
168 Entries without subordinate entries are called 'leaf' entries.
169
170 An entry's direct superior entry is called the entry's 'parent'.
171
172 'Non-leaf' entries are also said to have 'child' entries.
173
174 What is an attribute?
175 The entry(s) in a directory are composed of attributes that contain
176 information about the object. Each attribute has a type and can
177 contain one or more values.
178
179 For example:
180
181 cn=Road Runner
182
183 is an attribute with a type named "cn", and one value.
184
185 Each attribute is described by a 'syntax' which defines what kind of
186 information can be stored in the attributes values. Trying to store a
187 value that doesn't conform to the attribute's syntax will result in an
188 error.
189
190 For example:
191
192 jpegPhoto=unknown
193
194 is not permitted by the directory, because jpegPhotos may only contain
195 JPEG-formatted images.
196
197 Most syntaxes used in LDAP however describe text strings rather than
198 binary objects (like JPEGs or certificates.)
199
200 In LDAPv3 most of these syntaxes support Unicode encoded using UTF-8.
201 Because the Net::LDAP modules do not change the strings that you pass
202 in as attribute values (they get sent to the LDAP server as-is) to use
203 accented characters you simply need to encode your strings in UTF-8.
204 There are modules on CPAN that will help you here.
205
206 Note that LDAPv2 servers used something called T.61 instead of Unicode
207 and UTF-8. Most servers do not implement T.61 correctly, and it is
208 recommended that you use LDAPv3 instead.
209
210 Attributes may also be searched. The algorithms used to perform
211 different kinds of searches are described by the attribute's 'matching
212 rules'. Some matching rules are case-sensitive and some are case-
213 insensitive, for example. Sometimes matching rules aren't defined for
214 a particular attribute: there's no way to search for jpegPhotos that
215 contain a substring!
216
217 You can examine all of a server's attribute definitions by reading the
218 schema from the server.
219
220 What is an object class?
221 An object class is the name associated with a group of attributes that
222 must be present in an entry, and the group of attributes that may also
223 be present in an entry.
224
225 Object classes may be derived (subclassed) from other object classes.
226 For example the widely used 'inetOrgPerson' object class is derived
227 from 'organizationalPerson', which is itself derived from 'person'
228 which is itself derived from 'top'.
229
230 Every entry has an attribute called 'objectClass' that lists all the
231 names of object classes (and their superclasses) being used with the
232 entry.
233
234 You can examine all of a server's objectclass definitions by reading
235 the schema from the server.
236
237 What is a Distinguished Name (DN)?
238 Every entry in a directory has a Distinguished Name, or DN. It is a
239 unique Entry identifier throughout the complete directory. No two
240 Entries can have the same DN within the same directory.
241
242 Examples of DNs:
243
244 cn=Road Runner, ou=bird, dc=cartoon, dc=com
245 ou=bird, dc=cartoon, dc=com
246 dc=cartoon, dc=com
247 dc=com
248
249 What is a Relative Distinguished Name?
250 Every DN is made up of a sequence of Relative Distinguished Names, or
251 RDNs. The sequences of RDNs are separated by commas (,). In LDAPv2
252 semi-colons (;) were also allowed. There can be more than one
253 identical RDN in a directory, but they must have different parent
254 entries.
255
256 Technically, an RDN contains attribute-value assertions, or AVAs. When
257 an AVA is written down, the attribute name is separated from the
258 attribute value with an equals (=) sign.
259
260 Example of a DN:
261
262 cn=Road Runner,ou=bird,dc=cartoon,dc=com
263
264 RDNs of the proceeding DN:
265 RDN => cn=Road Runner
266 RDN => ou=bird
267 RDN => dc=cartoon
268 RDN => dc=com
269
270 RDNs can contain multiple attributes, though this is somewhat unusual.
271 They are called multi-AVA RDNs, and each AVA is separated in the RDN
272 from the others with a plus sign (+).
273
274 Example of a DN with a multi-AVA RDN:
275
276 cn=Road Runner+l=Arizona,ou=bird,dc=cartoon,dc=com
277
278 Where is an entry's name held?
279 Entries do not contain their DN. When you retrieve an entry from a
280 search, the server will tell you the DN of each entry.
281
282 On the other hand, entries do contain their RDN. Recall that the RDN is
283 formed from one or more attribute-value assertions (AVAs); each entry
284 must contain all the attributes and values in the RDN.
285
286 For example the entry:
287
288 cn=Road Runner+l=Arizona,ou=bird,dc=cartoon,dc=com
289
290 must contain a 'cn' attribute containing at least the value "Road
291 Runner", and an 'l' attribute containing at least the value "Arizona".
292
293 The attributes used in the RDN may contain additional values, but the
294 entry still only has one DN.
295
296 What is a search base?
297 A search base is a Distinguished Name that is the starting point of
298 search queries.
299
300 Example of a DN:
301
302 cn=Road Runner,ou=bird,dc=cartoon,dc=com
303
304 Possible search base(s) for the proceeding DN:
305
306 Base => cn=Road Runner,ou=bird,dc=cartoon,dc=com
307 Base => ou=bird,dc=cartoon,dc=com
308 Base => dc=cartoon,dc=com
309 Base => dc=com
310
311 Setting the search base to the lowest possible branch of the directory
312 will speed up searches considerably.
313
314 What is the difference between a LDAP server and a relational database?
315 The most basic difference is that a directory server is a specialized
316 database designed to provide fast searches. While a relational database
317 is optimized for transactions (where a series of operations is counted
318 as 1, thus if one of the steps fails, the RDBMS can roll-back to the
319 state it was in before you started).
320
321 Directories also typically are hierarchical in nature (RDBMS is
322 typically flat, but you can implement a hierarchy using tables and
323 queries), networkable, distributed and replicated.
324
325 LDAP provides an open-standard to a directory service.
326
327 Typically we use LDAP for email directories (all popular email clients
328 provide an LDAP client now) and authorization services (authentication
329 and access control).
330
331 You could use a RDBMS for these types of queries but there's no set
332 standard, in particular over TCP/IP to connect to databases over the
333 network. There's language specific protocols (like Perl's DBI and
334 Java's JDBC) that hide this problem behind an API abstraction, but
335 that's not a replacement for a standard access protocol.
336
337 LDAP is starting to be used on roles traditionally played by RDBMS in
338 terms of general data management because it's easier to setup a LDAP
339 server (once you understand the basic nomenclature) and you don't need
340 a DBA to write your queries and more importantly all LDAP servers speak
341 the same essential protocol, thus you don't have to fuss with a
342 database driver trying to connect it to the Internet. Once you have an
343 LDAP server up and running, it's automatically available over the 'net.
344 It's possible to connect to a LDAP server from a variety of mechanisms,
345 including just about every possible programming language.
346
347 More information on this topic can be found on the following URLs;
348
349 http://www.openldap.org/faq/data/cache/378.html
350
351 http://www.isode.com/whitepapers/ic-6055.html
352
353 What is the difference between a ldap reference and a ldap referral?
354 A referral is returned when the entire operation must be resent to
355 another server.
356
357 A continuation reference is returned when part of the operation must be
358 resent to another server.
359
360 See RFC 4511 section 4.5.3 for more details.
361
363 How do I install perl-ldap?
364 To install the modules that are in the perl-ldap distribution follow
365 the same steps that you would for most other distributions found on
366 CPAN, that is
367
368 # replace 0.62 with the version you have
369
370 gunzip perl-ldap-0.62.tar.gz
371 tar xvf perl-ldap-0.62.tar
372 cd perl-ldap-0.62
373
374 perl Makefile.PL
375 make
376 make test
377 make install
378
379 But I do not have make, how can I install perl-ldap?
380 Well as luck would have it the modules in perl-ldap do not do anything
381 complex, so a simple copy is enough to install. First run
382
383 perl -V
384
385 This will output information about the version of Perl you have
386 installed. Near the bottom you will find something like
387
388 @INC:
389 /usr/local/lib/perl/5.18.2
390 /usr/local/share/perl/5.18.2
391 /usr/lib/perl5
392 /usr/share/perl5
393 /usr/lib/perl/5.18
394 /usr/share/perl/5.18
395 /usr/local/lib/site_per
396
397 This is a list of directories that Perl searches when it is looking for
398 a module. The directory you need is the site_perl directory, but
399 without the system architecture name, in this case it is
400 "/usr/local/lib/site_perl". The files required can then be installed
401 with
402
403 # replace 0.62 with the version you have
404
405 gunzip perl-ldap-0.62.tar.gz
406 tar xvf perl-ldap-0.62.tar
407 cd perl-ldap-0.62/lib
408
409 cp -r * /usr/local/lib/site_perl
410
411 How can I load perl-ldap into an ActiveState Perl installation?
412 There are several ways that perl-ldap can be installed into an
413 ActiveState Perl tree.
414
415 1. The ActiveState ppm command can be used to install perl-ldap. When
416 a new version of perl-ldap is released, it takes ActiveState a
417 period of time to get the new release into the ActiveState ppm
418 system.
419
420 2. If the user has nmake installed, the user can do a normal Perl
421 module install using nmake instead of make.
422
423 3. If the user does not have nmake or make, the user can install perl-
424 ldap using the install-nomake script by issuing the following
425 command.
426
427 perl install-nomake
428
429 The install-nomake script can be used on any system that does not
430 have make installed.
431
432 What other modules will I need?
433 perl-ldap uses other Perl modules. Some are required, but some are
434 optional (i.e. required to use certain features only).
435
436 If you are using a Linux system, many of the distributions have
437 packages that you can install using the distribution's package
438 management tools (e.g. apt, rpm, ...).
439
440 Alternatively, you may use your favorite web search engine to find the
441 package that you need.
442
443 Convert::ASN1
444 This module converts between Perl data structures and ASN.1, and is
445 required for perl-ldap to work.
446
447 You can obtain the latest release from
448 http://search.cpan.org/search?module=Convert::ASN1
449
450 OpenSSL and IO::Socket::SSL
451 If you want to use encrypted connections, either via start_tls or
452 LDAPS connections, you will need this module and the OpenSSL
453 software package.
454
455 You can obtain the latest release of IO::Socket::SSL from
456 http://search.cpan.org/search?module=IO::Socket::SSL
457
458 You can obtain the latest release of OpenSSL from
459 http://www.openssl.org/
460
461 IO::Socket::INET6
462 For connecting to LDAP servers via IPv6, IO::Socket::INET6 is
463 required. Its presence is detected at runtime, so that perl-ldap
464 can be installed without it, and automatically gains IPv6 support
465 as soon as IO::Socket::INET6 gets installed.
466
467 You can obtain the latest releases from
468 http://search.cpan.org/search?module=IO::Socket::INET6
469
470 IO::Socket::IP
471 This is an alternative to using IO::Socket::INET6. Like that
472 module, it gets detected automatically at runtime. If version 0.20
473 or higher is installed, is is preferred over IO::Socket::INET6 and
474 IO::Socket::INET for all IP connections.
475
476 You can obtain the latest releases from
477 http://search.cpan.org/search?module=IO::Socket::IP
478
479 Authen::SASL
480 This module is optional. You only need to install Authen::SASL if
481 you want to use the SASL authentication methods.
482
483 You can obtain the latest release from
484 http://search.cpan.org/search?module=Authen::SASL
485
486 Digest::MD5
487 This module is optional. It also requires a C compiler when
488 installing. You only need to install Digest::MD5 if you want to
489 use the SASL DIGEST-MD5 authentication mechanism.
490
491 You can obtain the latest release from
492 http://search.cpan.org/search?module=Digest::MD5
493
494 As Digest::MD5 is part of the Perl core modules since Perl 5.7.3,
495 you only need a C compiler if you want to install a version that is
496 newer than the version distributed with your Perl installation.
497
498 Digest::HMAC_MD5
499 This optional module is required only if you want to use the SASL
500 CRAM-MD5 authentication mechanism.
501
502 You can obtain the latest release from
503 http://search.cpan.org/search?module=Digest::HMAC_MD5
504
505 GSSAPI
506 This optional module is required only if you want to use the SASL
507 GSSAPI authentication mechanism (e.g. for Kerberos authentication).
508
509 You can obtain the latest release from
510 http://search.cpan.org/search?module=GSSAPI
511
512 URI::ldap, URI::ldaps, and URI::ldapi
513 These modules are optional. You only need to install them if you
514 want to parse ldap://, ldaps:// or ldapi:// URIs using
515 ldap_parse_uri in Net::LDAP::Util. or use LWP::Protocol::ldap,
516 LWP::Protocol::ldaps, or LWP::Protocol::ldapi.
517
518 You can obtain the latest releases from
519 http://search.cpan.org/search?module=URI::ldap
520 http://search.cpan.org/search?module=URI::ldaps
521 http://search.cpan.org/search?module=URI::ldapi
522
523 LWP::Protocol, LWP::MediaTypes, HTTP::Negotiate, and HTTP::Response
524 These optional modules are needed if you want to use perl-ldap's
525 LWP::Protocol::ldap, LWP::Protocol::ldaps, or LWP::Protocol::ldapi
526 modules.
527
528 You can obtain the latest releases from
529 http://search.cpan.org/search?module=LWP::Protocol
530 http://search.cpan.org/search?module=LWP::MediaTypes
531 http://search.cpan.org/search?module=HTTP::Negotiate
532 http://search.cpan.org/search?module=HTTP::Response
533
534 JSON
535 This optional module is required for JSON-formatted output of perl-
536 ldap's LWP::Protocol::ldap, LWP::Protocol::ldaps, or
537 LWP::Protocol::ldapi modules.
538
539 If you need it, you can obtain the latest releases from
540 http://search.cpan.org/search?module=JSON
541
542 Time::Local
543 This module is optional, and only required if you want to convert
544 between UNIX time and generalizedTime using the functions provided
545 in Net::LDAP::Util.
546
547 XML::SAX and XML::SAX::Writer
548 If you want to parse or write DSMLv1 documents with Net::LDAP::DSML
549 to you will need these optional modules.
550
551 You can obtain the latest releases from
552 http://search.cpan.org/search?module=XML::SAX
553 http://search.cpan.org/search?module=XML::SAX::Writer
554
555 ResourcePool::Factory::Net::LDAP
556 If you want to use failover the ResourcePool::Factory::Net::LDAP
557 Perl module provides methods to do this.
558
559 You can obtain the latest release from
560 http://search.cpan.org/search?module=ResourcePool::Factory::Net::LDAP
561
563 How do I connect to my server?
564 The connection to the server is created when you create a new Net::LDAP
565 object, e.g.
566
567 $ldap = Net::LDAP->new($server);
568
569 Net::LDAP->new sometimes returns undef, why?
570 The constructor will return undef if there was a problem connecting to
571 the specified server. Any error message will be available in $@
572
573 What is the proper format of the bind DN?
574 The DN used to bind to a directory is a FULLY QUALIFIED DN. The exact
575 structure of the DN will depend on what data has been stored in the
576 server.
577
578 The following are valid examples.
579
580 uid=clif,ou=People,dc=umich,dc=edu
581
582 cn=directory manager,ou=admins,dc=umich,dc=edu
583
584 In some servers the following would be a valid fully qualified DN of
585 the directory manager.
586
587 cn=directory manager
588
589 How can I tell when the server returns an error, bind() always returns
590 true?
591 Most methods in Net::LDAP return a Net::LDAP::Message object, or a sub-
592 class of that. This object will hold the results from the server,
593 including the result code.
594
595 So, for example, to determine the result of the bind operation.
596
597 $mesg = $ldap->bind( $dn, password => $passwd );
598
599 if ( $mesg->code ) {
600 # Handle error codes here
601 }
602
603 How can I set the LDAP version of a connection to my LDAP server?
604 This is done by adding the version option when connecting or binding to
605 the LDAP server.
606
607 For example;
608
609 $ldap = Net::LDAP->new( $server, version => 3 );
610
611 or
612
613 $mesg = $ldap->bind( $dn, password => $passwd, version => 3 );
614
615 Valid version numbers are 2 and 3. As of perl-ldap 0.27 the default
616 LDAP version is 3.
617
618 I did a search on my directory using the 'search' method. Where did the
619 results go?
620 Your search results are stored in a 'search object'. Consider the
621 following:
622
623 use Net::LDAP;
624
625 $ldap = Net::LDAP->new('ldap.acme.com') or die "$@";
626 $mesg = $ldap->search(
627 base => "o=acme.com",
628 filter => "uid=jsmith",
629 );
630
631 $mesg is a search object. It is a reference blessed into the
632 Net::LDAP::Search package. By calling methods on this object you can
633 obtain information about the result and also the individual entries.
634
635 The first thing to check is if the search was successful. This is done
636 with the method $mesg->code. This method will return the status code
637 that the server returned. A success will yield a zero value, but there
638 are other values, some of which could also be considered a success.
639 See Net::LDAP::Constant
640
641 use Net::LDAP::Util qw(ldap_error_text);
642
643 die ldap_error_text($mesg->code)
644 if $mesg->code;
645
646 There are two ways in which you can access the entries. You can access
647 then with an index or you can treat the container like a stack and
648 shift each entry in turn. For example
649
650 # as an array
651
652 # How many entries were returned from the search
653 my $max = $mesg->count;
654
655 for (my $index = 0 ; $index < $max ; $index++) {
656 my $entry = $mesg->entry($index);
657 # ...
658 }
659
660 # or as a stack
661
662 while (my $entry = $mesg->shift_entry) {
663 # ...
664 }
665
666 In each case $entry is an entry object. It is a reference blessed into
667 the Net::LDAP::Entry package. By calling methods on this object you can
668 obtain information about the entry.
669
670 For example, to obtain the DN for the entry
671
672 $dn = $entry->dn;
673
674 To obtain the attributes that a given entry has
675
676 @attrs = $entry->attributes;
677
678 And to get the list of values for a given attribute
679
680 @values = $entry->get( 'sn' );
681
682 And to get the first of the values for a given attribute
683
684 $values = $entry->get( 'cn' );
685
686 One thing to remember is that attribute names are case insensitive, so
687 'sn', 'Sn', 'sN' and 'SN' are all the same.
688
689 So, if you want to print all the values for the attribute 'ou' then
690 this is as simple as
691
692 foreach ($entry->get_value( 'ou' )) {
693 print $_,"\n";
694 }
695
696 Now if you just want to print all the values for all the attributes you
697 can do
698
699 foreach my $attr ($entry->attributes) {
700 foreach my $value ($entry->get_value($attr)) {
701 print $attr, ": ", $value, "\n";
702 }
703 }
704
705 How do I limit the scope of a directory search?
706 You limit the scope of a directory search by setting the scope
707 parameter of search request. Consider the following:
708
709 use Net::LDAP;
710
711 $ldap = Net::LDAP->new('ldap.acme.com') or die "$@";
712 $mesg = $ldap->search(
713 base => "o=acme.com",
714 scope => 'sub',
715 filter => "uid=jsmith",
716 );
717
718 Values for the scope parameter are as follows.
719
720 base
721 Search only the base object.
722
723 one Search the entries immediately below the base object.
724
725 sub
726 subtree
727 Search the whole tree below (and including) the base object. This
728 is the default.
729
730 children
731 Search the whole subtree below the base object, excluding the base
732 object itself.
733
734 Note: children scope requires LDAPv3 subordinate feature extension.
735
737 There are two ways of retrieving the results of a requested LDAP
738 search; inline and by using a callback subroutine.
739
740 USING THE INLINE APPROACH
741 Using the inline approach involves requesting the data and then waiting
742 for all of the data to be returned before the user starts processing
743 the data.
744
745 Example:
746
747 use Net::LDAP;
748
749 $ldap = Net::LDAP->new('ldap.acme.com') or die "$@";
750 $mesg = $ldap->search(
751 base => "o=acme.com",
752 scope => 'sub',
753 filter => "sn=smith",
754 );
755 #
756 # At this point the user can get the returned data as an array
757 # or as a stack.
758 # In this example we will use an array
759
760 # How many entries were returned from the search
761 my $max = $mesg->count;
762
763 for (my $index = 0 ; $index < $max ; $index++)
764 {
765 my $entry = $mesg->entry($index);
766 my $dn = $entry->dn; # Obtain DN of this entry
767
768 @attrs = $entry->attributes; # Obtain attributes for this entry.
769 foreach my $var (@attrs)
770 {
771 #get a list of values for a given attribute
772 $attr = $entry->get_value( $var, asref => 1 );
773 if ( defined($attr) )
774 {
775 foreach my $value ( @$attr )
776 {
777 print "$var: $value\n"; # Print each value for the attribute.
778 }
779 }
780 }
781 }
782
783 As you can see the example is straightforward, but there is one
784 drawback to this approach. You must wait until all entries for the
785 request search to be returned before you can process the data. If
786 there several thousand entries that match the search filter this could
787 take quite a long time period.
788
789 USING THE CALLBACK SUBROUTINE APPROACH
790 Using the callback approach involves requesting the data be sent to a
791 callback subroutine as each entry arrives at the client.
792
793 A callback is just a subroutine that is passed two parameters when it
794 is called, the mesg and entry objects.
795
796 Example:
797
798 use Net::LDAP;
799
800 $ldap = Net::LDAP->new('ldap.acme.com') or die "$@";
801 $mesg = $ldap->search(
802 base => "o=acme.com",
803 scope => 'sub',
804 filter => "sn=smith",
805 callback => \&callback,
806 );
807 #
808 # At this point the user needs to check the status of the
809 # ldap search.
810 #
811
812 if ( $mesg->code )
813 {
814 $errstr = $mesg->code;
815 print "Error code: $errstr\n";
816 $errstr = ldap_error_text($errstr);
817 print "$errstr\n";
818 }
819
820
821 sub callback
822 {
823 my ( $mesg, $entry) = @_;
824
825 #
826 # First you must check to see if something was returned.
827 # Last execution of callback subroutine will have no
828 # defined entry and mesg object
829 #
830 if ( !defined($entry) )
831 {
832 print "No records found matching filter $match.\n"
833 if ($mesg->count == 0) ; # if mesg is not defined nothing will print.
834 return;
835 }
836
837 my $dn = $entry->dn; # Obtain DN of this entry
838
839 @attrs = $entry->attributes; # Obtain attributes for this entry.
840 foreach my $var (@attrs)
841 {
842 #get a list of values for a given attribute
843 $attr = $entry->get_value( $var, asref => 1 );
844 if ( defined($attr) )
845 {
846 foreach my $value ( @$attr )
847 {
848 print "$var: $value\n"; # Print each value for the attribute.
849 }
850 }
851 }
852 #
853 # For large search requests the following line of code
854 # may be very important, it will reduce the amount of memory
855 # used by the search results.
856 #
857 # If the user is not worried about memory usage then the line
858 # of code can be omitted.
859 #
860 $mesg->pop_entry;
861
862 } # End of callback subroutine
863
864 As you can see the example is straightforward and it does not waste
865 time waiting for all of the entries to be returned. However if the
866 pop_entry method is not used the callback approach can allocate a lot
867 of memory to the search request.
868
870 Using an SSL network connection, how do I connect to my server?
871 This class is a subclass of Net::LDAP so all the normal Net::LDAP
872 methods can be used with a Net::LDAPS object; see the documentation for
873 Net::LDAP to find out how to query a directory server using the LDAP
874 protocol.
875
876 The connection to the server is created when you create a new
877 Net::LDAPS object, e.g.
878
879 $ldaps = Net::LDAPS->new($server,
880 port => '10000',
881 verify => 'require',
882 capath => '/usr/local/cacerts/',
883 );
884
885 Starting with version 0.28 perl-ldap also supports URIs in the new
886 method. So, the above can also be expressed as:
887
888 $ldaps = Net::LDAP->new("ldaps://$server",
889 port => '10000',
890 verify => 'require',
891 capath => '/usr/local/cacerts/',
892 );
893
894 There are additional options to the new method with LDAPS URIs and the
895 LDAPS new method and several additional methods are included in the
896 LDAPS object class.
897
898 For further information and code examples read the LDAPS module
899 documentation; perldoc Net::LDAPS
900
902 What are LDAP groups?
903 LDAP groups are object classes that contain an attribute that can store
904 multiple DN values. Two standard object classes are 'groupOfNames'
905 (which has a 'member' attribute) and 'groupOfUniqueNames' (which has a
906 'uniqueMember' attribute.)
907
908 According to the RFCs a group can be a member of another group, but
909 some LDAP server vendors restrict this flexibility by not allowing
910 nested groups in their servers.
911
912 Two scripts for working with groups are available in the contrib
913 directory. They are isMember.pl and printMembers.pl.
914
915 How do you format a filter to search for entries whose 'member' attribute
916 has a particular value?
917 Asking for (member=*) is OK - the directory uses the equality matching
918 rule which is defined for the member attribute.
919
920 Asking for (member=c*) is not OK - there is no defined substring
921 matching rule for the member attribute. That's because the member
922 values are *not* strings, but distinguished names. There is no
923 substring matching rule for DNs, see RFC 4519 section 2.7.
924
925 What you have to do is get the results of (member=*) and then select
926 the required results from the returned values. You need to do this
927 using knowledge of the string representation of DNs defined in RFC
928 4514, which is important because the same DN can have different string
929 representations. So you need to perform some canonicalization if you
930 want to be correct.
931
933 How can I access DSML features from perl-ldap?
934 Directory Service Markup Language (DSML) is the XML standard for
935 representing directory service information in XML.
936
937 Support for DSML is included in perl-ldap starting with version .20.
938
939 At the moment this module only reads and writes DSML entry entities. It
940 cannot process any schema entities because schema entities are
941 processed differently than elements.
942
943 Eventually this module will be a full level 2 consumer and producer
944 enabling you to give you full DSML conformance.
945
946 The specification for DSML is at http://www.oasis-open.org/specs/
947
948 For further information and code examples read the DSML module
949 documentation; perldoc Net::LDAP::DSML
950
952 How do I access the Control features?
953 Support for LDAP version 3 Control objects is included in perl-ldap
954 starting with version .20.
955
956 For further information and code examples read the Control module
957 documentation; perldoc Net::LDAP::Control
958
959 How do I access the Virtual List features?
960 Support for Virtual Lists is included in perl-ldap starting with
961 version .20.
962
963 For further information and code examples read the Control module
964 documentation; perldoc Net::LDAP::Control
965
967 Are there any other code examples.
968 Yes, there is an Examples pod file. To view the pod do the following
969 command; perldoc Net::LDAP::Examples
970
971 There is user contributed software in the contrib directory that is
972 supplied with the perl-ldap distribution. This is an excellent source
973 of information on how to use the perl-ldap module.
974
975 Are there any performance issues with perl-ldap?
976 In the vast majority of use cases (one user has suggested 9 out of 10)
977 there are no performance issues with perl-ldap.
978
979 Where you may wish to use perl-ldap to perform, for example, a very
980 large number of queries (e.g. 10,000) in succession you may find a
981 noticeable performance difference between perl-ldap and non pure-Perl
982 modules. This is not because of perl-ldap itself but because of the
983 pure-Perl Convert::ASN1 module that it depends on.
984
985 You should make up your own mind, based upon your own situation
986 (performance requirements, hardware etc.) as to whether you should use
987 perl-ldap or not. The figures quoted in this answer are only
988 indicative, and will differ for different people.
989
990 Can I contribute Perl scripts that use perl-ldap to the contrib section?
991 Any one can submit a Perl script that uses perl-ldap for inclusion in
992 the contrib section. The perl-ldap maintainers will determiner if the
993 script will be included and will do the initial check in of the script
994 to the Git repository at https://github.com/perl-ldap/perl-ldap.
995
996 There are a couple of requirements for consideration.
997
998 You must supply a one line description of your script to be included in
999 the contrib README file.
1000
1001 Inside the script will be the pod documentation for the script. No
1002 auxiliary documentation will be allowed. For examples of how to do
1003 this see the tklkup script currently in the contrib section.
1004
1005 Is it possible to get a complete entry, DN and attributes without
1006 specifying the attributes name?
1007 Yes, just specify you want a list of no attributes back. The RFC says
1008 that this tells the server to return all readable attributes back
1009 (there may be access controls to prevent some from being returned.)
1010
1011 So in the search method, just set (for LDAPv2):
1012
1013 attrs => [ ]
1014
1015 If you are using LDAPv3, you can specify an attribute called "*"
1016 instead, which lets you ask for additional (i.g. operational)
1017 attributes in the same search.
1018
1019 attrs => [ "*" ]
1020
1021 To get all operational attributes in a search, some servers allow the
1022 use of the "+" pseudo attribute. So that with these servers
1023
1024 attrs => [ "*", "+" ]
1025
1026 will return the most information from the server.
1027
1028 How do I put a JPEG photo into a entry in the directory?
1029 Follow the following code example, replacing the (...) with whatever is
1030 relevant to your setup.
1031
1032 use Net::LDAP;
1033 use Net::LDAP::Util qw(ldap_error_text);
1034 use CGI;
1035
1036 local $/ = undef;
1037 my $jpeg = <$filename>;
1038
1039 my $ldap = Net::LDAP->new(...);
1040 my $res = $ldap->bind(...);
1041 $res = $ldap->modify(...,
1042 add => [ 'jpegPhoto' => [ $jpeg ] ]);
1043 $res = $ldap->unbind();
1044
1045 How do I add a jpeg photo into a entry in the directory via html-forms?
1046 Follow the following code example, replacing the (...) with whatever is
1047 relevant to your setup.
1048
1049 use Net::LDAP;
1050 use Net::LDAP::Util qw(ldap_error_text);
1051 use CGI;
1052
1053 my $q = new CGI;
1054
1055 print $q->header;
1056 print $q->start_html(-title => 'Change JPEG photo');
1057
1058 if ($q->param('Update')) {
1059 my $filename = $q->param('jpeg');
1060 local $/ = undef;
1061 my $jpeg = <$filename>;
1062
1063 my $ldap = Net::LDAP->new(...);
1064 my $res = $ldap->bind(...);
1065 $res = $ldap->modify(...,
1066 add => [ 'jpegPhoto' => [ $jpeg ] ]);
1067 $res = $ldap->unbind();
1068 } else {
1069 print $q->start_multipart_form();
1070 print $q->filefield(-name => 'jpeg', -size => 50);
1071 print $q->submit('Update');
1072 print $q->end_form();
1073 }
1074
1075 print $q->end_html();
1076
1077 What happens when you delete an attribute that does not exist?
1078 It is an error to delete an attribute that doesn't exist. When you get
1079 the error back the server ignores the entire modify operation you sent
1080 it, so you need to make sure the error doesn't happen.
1081
1082 Another approach, if you are using LDAPv3 (note beginning with version
1083 .27 Net::LDAP uses LDAPv3 by default) is to use a 'replace' with your
1084 attribute name and no values. In LDAPv3, this is defined to always
1085 work even if that attribute doesn't exist in the entry.
1086
1087 ie:
1088
1089 my $mesg = $ldap->modify( $entry, replace => { %qv_del_arry } );
1090
1091 But make sure you are using LDAPv3, because that is defined to not work
1092 in LDAPv2. (A nice incompatibility between LDAPv2 and LDAPv3.)
1093
1094 How can I delete a referral from an LDAP tree?
1095 Since this is a proprietary feature, you will have to check your
1096 server's documentation. You might find that you need to use a control.
1097 If there is a control called something like ManageDsaIT, that's the one
1098 you should probably use. For proper operation you will need the oid
1099 number for ManageDsaIT; 2.16.840.1.113730.3.4.2 and do not specify a
1100 value for type.
1101
1102 The code required will look similar to the following code snippet.
1103
1104 $mesg = $ldap->delete("ref=\"ldap://acme/c=us,o=bricks\",o=clay",
1105 control => {type => "2.16.840.1.113730.3.4.2"} );
1106
1107 How do I add an ACI/ACL entry to a directory server with perl-ldap?
1108 ACIs and ACLs are proprietary features in LDAP. The following code
1109 snippet works with a Netscape directory server. You will need the
1110 specify the correct DN (-DN-) and correct attribute(s) (-ATTRNAMEs-).
1111
1112 my $aci = '(target="ldap:///-DN-")(targetattr="-ATTRNAMEs-")(version 3.0;
1113 acl "-ACLNAME-"; deny(all) userdn = "ldap:///self";)' ;
1114
1115 $ldap->modify($dn_modif, add => {'aci' => $aci });
1116
1117 How do I avoid file type and data type mis-matching when loading data from
1118 a Win32 system?
1119 When loading a binary attribute with data read from a file on a Win32
1120 system, it has been noted that you should set "binmode" on the file
1121 before reading the file contents into the data array.
1122
1123 Another possible solution to this problem is to convert the binary data
1124 into a base64 encoded string and then store the encoded string in the
1125 file. Then when reading the file, decode the base64 encoded string
1126 back to binary and then use perl-ldap to store the data in the
1127 directory.
1128
1129 How do I create an account in Active Directory?
1130 Active Directory accounts need some AD-specific attributes (only the
1131 method we're interested in, no error checking):
1132
1133 $mesg = $ldap->add( 'cn=John Doe,cn=Users,dc=your,dc=ads,dc=domain',
1134 attrs => [
1135 objectClass => [ qw/top user/ ],
1136 cn => 'John Doe',
1137 sn => 'Doe',
1138 givenName => 'John',
1139 displayName => 'John "the one" Doe',
1140 userAccountControl => 514, # disabled regular user
1141 sAMAccountName => 'JohnDoe',
1142 userPrincipalName => 'JohnDoe@your.ads.domain'
1143 ]
1144 );
1145
1146 In order to find out what other attributes can be set, interactively
1147 edit the user in the Active Directory Users and Computers MCC plugin,
1148 perform an LDAP search operation to find out what changed, and update
1149 your "add" routine accordingly.
1150
1151 How can I create a group in Active Directory?
1152 Similar to accounts, groups need some AD-specific attributes too:
1153
1154 $mesg = $ldap->add( 'cn=NewGroup,cn=Users,dc=your,dc=ads,dc=domain',
1155 attrs => [
1156 objectClass => [ qw/top group/ ],
1157 cn => 'NewGroup',
1158 sAMAccountName => 'NewGroup',
1159 groupType => 0x80000002 # global, security enabled group
1160 ]
1161 );
1162
1163 How do I search for disabled accounts in Active Directory
1164 The bit values in "userAccountControl" require the
1165 LDAP_MATCHING_RULE_BIT_AND matching rule's OID to be used in an
1166 extensible filter term:
1167
1168 $mesg = $ldap->search( base => 'cn=Users,dc=your,dc=ads,dc=domain',
1169 filter => '(&(objectclass=user)' .
1170 (userAccountControl:1.2.840.113556.1.4.803:=2))',
1171 attrs => [ '1.1' ]
1172 );
1173
1174 How can I search for security groups in Active Directory
1175 With groups, the same applies to the "groupType" bit-field:
1176
1177 $mesg = $ldap->search( base => 'cn=Users,dc=your,dc=ads,dc=domain',
1178 filter => '(&(objectclass=group)' .
1179 (groupType:1.2.840.113556.1.4.803:=2147483648))',
1180 # 2147483648 = 0x80000000
1181 attrs => [ '1.1' ]
1182 );
1183
1184 How can I search for all members of a group in AD (including group
1185 nesting)?
1186 AD allows you to find all members of a specified group, the direct
1187 members plus those that are member of the group via group nesting.
1188
1189 The trick to this is the special "LDAP_MATCHING_RULE_IN_CHAIN" matching
1190 rule:
1191
1192 $mesg = $ldap->search( base => 'cn=Users,dc=your,dc=ads,dc=domain',
1193 filter => '(memberOf:1.2.840.113556.1.4.1941:=cn=Testgroup,dc=your,dc=ads,dc=domain)',
1194 attrs => [ '1.1' ]
1195 );
1196
1197 How can I search for all groups one user is a member of in AD (including
1198 group nesting)?
1199 Similarly you can search for all the groups one user is member of,
1200 either directly or via group nesting.
1201
1202 $mesg = $ldap->search( base => 'dc=your,dc=ads,dc=domain',
1203 filter => '(member:1.2.840.113556.1.4.1941:=cn=TestUser,ou=Users,dc=your,dc=ads,dc=domain)',
1204 attrs => [ '1.1' ]
1205 );
1206
1207 How do I search for all members of a large group in AD?
1208 AD normally restricts the number of attribute values returned in one
1209 query. The exact number depends on the AD server version: it was ~1000
1210 in Win2000, 1500 in Win2003 and is 5000 in Win2008 & Win2008R2.
1211
1212 Performing the same standard search again will yield the same values
1213 again.
1214
1215 So, how can you get all members of a really large AD group?
1216
1217 The trick to use here is to use Microsoft's range option when
1218 searching, i.e instead of doing one search for plain "member", perform
1219 multiple searches for e.g. "member;range=1000-*" where the range
1220 starting index increases accordingly:
1221
1222 my $mesg;
1223 my @members;
1224 my $index = 0;
1225
1226 while ($index ne '*') {
1227 $mesg = $ldap->search( base => 'cn=Testgroup,dc=your,dc=ads,dc=domain',
1228 filter => '(objectclass=group)',
1229 scope => 'base',
1230 attrs => [ ($index > 0) ? "member;range=$index-*" : 'member' ]
1231 );
1232 if ($mesg->code == LDAP_SUCCESS) {
1233 my $entry = $mesg->entry(0);
1234 my $attr;
1235
1236 # large group: let's do the range option dance
1237 if (($attr) = grep(/^member;range=/, $entry->attributes)) {
1238 push(@members, $entry->get_value($attr));
1239
1240 if ($attr =~ /^member;range=\d+-(.*)$/) {
1241 $index = $1;
1242 $index++ if ($index ne '*');
1243 }
1244 }
1245 # small group: no need for the range dance
1246 else {
1247 @members = $entry->get_value('member');
1248 last;
1249 }
1250 }
1251 # failure
1252 else {
1253 last;
1254 }
1255 }
1256
1257 if ($mesg->code == LDAP_SUCCESS) {
1258 # success: @members contains the members of the group
1259 }
1260 else {
1261 # failure: deal with the error in $mesg
1262 }
1263
1264 See
1265 <http://msdn.microsoft.com/en-us/library/windows/desktop/aa367017.aspx>
1266 for more details.
1267
1268 How do I create a Microsoft Exchange 5.x user?
1269 This is a solution provided by a perl-ldap user.
1270
1271 This code works with ActiveState Perl running on WinNT 4. Please note
1272 that this requires the Win32::Perms module, and needs valid NT account
1273 info to replace the placeholders.
1274
1275 use Net::LDAP;
1276 use Net::LDAP::Util;
1277 use Win32::Perms;
1278
1279 #Constants taken from ADSI Type Library
1280 $ADS_RIGHT_EXCH_ADD_CHILD = 1;
1281 $ADS_RIGHT_EXCH_DELETE = 0x10000;
1282 $ADS_RIGHT_EXCH_DS_REPLICATION = 64;
1283 $ADS_RIGHT_EXCH_DS_SEARCH = 256;
1284 $ADS_RIGHT_EXCH_MAIL_ADMIN_AS = 32;
1285 $ADS_RIGHT_EXCH_MAIL_RECEIVE_AS = 16;
1286 $ADS_RIGHT_EXCH_MAIL_SEND_AS = 8;
1287 $ADS_RIGHT_EXCH_MODIFY_ADMIN_ATT = 4;
1288 $ADS_RIGHT_EXCH_MODIFY_SEC_ATT = 128;
1289 $ADS_RIGHT_EXCH_MODIFY_USER_ATT = 2;
1290
1291 $EXCH_USER_RIGHTS = $ADS_RIGHT_EXCH_MAIL_RECEIVE_AS |
1292 $ADS_RIGHT_EXCH_MAIL_SEND_AS |
1293 $ADS_RIGHT_EXCH_MODIFY_USER_ATT;
1294
1295 $exch = Net::LDAP->new('server', debug =>0) || die $@;
1296
1297 $exch->bind( 'cn=admin_user,cn=nt_domain,cn=admin', version =>3,
1298 password=>'password');
1299
1300 $myObj = Win32::Perms->new();
1301 $Result = $myObj->Owner('nt_domain\user_name');
1302 $myObj->Group('nt_domain\Everyone');
1303 $myObj->Allow('nt_domain\user_name',
1304 $EXCH_USER_RIGHTS,OBJECT_INHERIT_ACE);
1305 $BinarySD = $myObj->GetSD(SD_RELATIVE);
1306 $TextSD = uc(unpack( "H*", $BinarySD ));
1307 Win32::Perms::ResolveSid('nt_domain\user_name', $sid);
1308 $mysid = uc(unpack("H*",$sid));
1309
1310 $result = $exch->add ( dn =>
1311 'cn=user_name,cn=container,ou=site,o=organisation',
1312 attr => [ 'objectClass' => ['organizationalPerson'],
1313 'cn' => 'directory_name',
1314 'uid' => 'mail_nickname',
1315 'mail' => 'smtp_address',
1316 'assoc-nt-account' => [ $mysid ],
1317 'nt-security-descriptor' => [ $TextSD ],
1318 'mailPreferenceOption' => 0
1319 ]
1320 );
1321
1322
1323 print ldap_error_name($result->code);
1324
1325 How do I reset a user's password ...
1326 ... in most LDAP servers?
1327
1328 Most LDAP servers use the standard userPassword attribute as the
1329 attribute to set when you want to change a user's password.
1330
1331 They usually allow to set the password either using the regular modify
1332 operation on the userPassword attribute or using the extended LDAP
1333 Password Modify operation defined in RFC3062.
1334
1335 The recommended method is the extended Password Modify operation, which
1336 offers a standardized way to set user passwords but unfortunately is
1337 not available on all LDAP servers.
1338
1339 Whether the extended Password Modify operation is available can be
1340 found out by searching the attribute supportedExtension for the value
1341 1.3.6.1.4.1.4203.1.11.1 in the RootDSE object.
1342
1343 If the extended Password Modify operation is not available the
1344 alternative is the regular modification of the userPassword attribute.
1345
1346 But this method has some drawbacks:
1347
1348 · Depending on the type of the server the arguments to the modify
1349 operations may vary. Some want the modify done with replace, some
1350 want it done by explicitly deleting the old password and add of the
1351 new one. This may even depend on whether you change the password
1352 for the bound user or as an administrator for another user.
1353
1354 · With the modify operation some servers expect the client to do the
1355 hashing of the password on the client side. I.e. all clients that
1356 set passwords need to agree on the algorithm and the format of the
1357 hashed password.
1358
1359 · Some LDAP servers do not allow setting the password if the
1360 connection is not sufficiently secured. I.e. require SSL or TLS
1361 support to set the password (which is heavily recommended anyway
1362 ;-)
1363
1364 Here is an example of how to change your own password (for brevity's
1365 sake error checking is left out):
1366
1367 use Net::LDAP;
1368
1369 my $ldap = Net::LDAP->new('ldaps://server.domain') or die "$@";
1370 my $mesg = $ldap->bind('cn=Joe User,dc=perl,dc=ldap,dc=org',
1371 password => 'oldPW');
1372
1373 my $rootdse = $ldap->root_dse();
1374
1375 if ($rootdse->supported_extension('1.3.6.1.4.1.4203.1.11.1') {
1376
1377 require Net::LDAP::Extension::SetPassword;
1378
1379 $mesg = $ldap->set_password(user => 'cn=Joe User,dc=perl,dc=ldap,dc=org',
1380 oldpasswd => 'oldPW',
1381 newpasswd => 'newPW');
1382 }
1383 else {
1384 $mesg = $ldap->modify('cn=Joe User,dc=perl,dc=ldap,dc=org',
1385 changes => [
1386 delete => [ userPassword => $oldPW ]
1387 add => [ userPassword => $newPW ] ]);
1388 }
1389
1390 $ldap->unbind();
1391
1392 ... in MS Active Directory?
1393
1394 With Active Directory a user's password is stored in the unicodePwd
1395 attribute and changed using the regular modify operation.
1396
1397 ADS expects this password to be encoded in Unicode - UTF-16 to be
1398 exact. Before the Unicode conversion is done the password needs to be
1399 surrounded by double quotes which do not belong to the user's password.
1400
1401 For the password modify operation to succeed SSL is required.
1402
1403 When changing the password for the user bound to the directory ADS
1404 expects it to be done by deleting the old password and adding the new
1405 one. When doing it as a user with administrative privileges replacing
1406 the unicodePwd's value with a new one is allowed too.
1407
1408 Perl-ldap contains convenience methods for Active Directory that allow
1409 one to perform this task very easily.
1410
1411 Here's an example that demonstrates setting your own password from
1412 $oldPW to $newPW (again almost no error checking):
1413
1414 use Net::LDAP;
1415 use Net::LDAP::Extra qw(AD);
1416
1417 my $ldap = Net::LDAP->new('ldaps://ads.domain.controller') or die "$@";
1418
1419 my $mesg = $ldap->bind('cn=Joe User,dc=your,dc=ads,dc=domain',
1420 password => $oldPW);
1421
1422 $mesg = $ldap->change_ADpassword('cn=Joe User,dc=your,dc=ads,dc=domain',
1423 $oldPW, $newPW);
1424
1425 $ldap->unbind();
1426
1427 And the same for perl-ldap versions before 0.49, where everything needs
1428 to be done by hand:
1429
1430 use Net::LDAP;
1431 use Unicode::Map8;
1432 use Unicode::String qw(utf16);
1433
1434 # build the conversion map from your local character set to Unicode
1435 my $charmap = Unicode::Map8->new('latin1') or die;
1436
1437 # surround the PW with double quotes and convert it to UTF-16
1438 # byteswap() was necessary in experiments on i386 Linux, YMMV
1439 my $oldUniPW = $charmap->tou('"'.$oldPW.'"')->byteswap()->utf16();
1440 my $newUniPW = $charmap->tou('"'.$newPW.'"')->byteswap()->utf16();
1441
1442 my $ldap = Net::LDAP->new('ldaps://ads.domain.controller') or die "$@";
1443
1444 my $mesg = $ldap->bind('cn=Joe User,dc=your,dc=ads,dc=domain',
1445 password => $oldPW);
1446
1447 $mesg = $ldap->modify('cn=Joe User,dc=your,dc=ads,dc=domain',
1448 changes => [
1449 delete => [ unicodePwd => $oldUniPW ]
1450 add => [ unicodePwd => $newUniPW ] ]);
1451
1452 $ldap->unbind();
1453
1454 How can I simulate server failover?
1455 Perl-ldap does not do server failover, however there are several
1456 programming options for getting around this situation.
1457
1458 Here is one possible solution:
1459
1460 $ldaps = Net::LDAPS->new([ $ldapserverone, $ldapservertwo ],
1461 port=>636, timeout=>5) or die "$@";
1462
1463 For perl-ldap versions before 0.27, the same goal can be achieved
1464 using:
1465
1466 unless ( $ldaps =
1467 Net::LDAPS->new($ldapserverone,
1468 port=>636,timeout=>5) )
1469 {
1470 $ldaps = Net::LDAPS->new($ldapservertwo,
1471 port=>636,timeout=>20) ||
1472 return
1473 "Can't connect to $ldapserverone or $ldapservertwo via LDAPS: $@";
1474 }
1475
1477 How do I store X.509 certificates in the directory?
1478 The first problem here is that there are many different formats to hold
1479 certificates in, for example PEM, DER, PKCS#7 and PKCS#12. The
1480 directory only uses the DER format (more correctly, it only uses the
1481 BER format) which is a binary format.
1482
1483 Your first job is to ensure that your certificates are therefore in
1484 DER/BER format. You could use OpenSSL to convert from PEM like this:
1485
1486 openssl x509 -inform PEM -in cert.pem -outform DER -out cert.der
1487
1488 Consult the OpenSSL documentation to find out how to perform other
1489 conversions.
1490
1491 To add a certificate to the directory, just slurp in the DER/BER
1492 certificate into a scalar variable, and add it to the entry's
1493 userCertificate attribute. How you do that will depend on which version
1494 of LDAP you are using.
1495
1496 To slurp in the certificate try something like this:
1497
1498 my $cert;
1499 {
1500 local $/ = undef; # Slurp mode
1501 open CERT, "cert.der" or die;
1502 binmode CERT; # for Windows e.a.
1503 $cert = <CERT>;
1504 close CERT;
1505 }
1506 # The certificate is now in $cert
1507
1508 For LDAPv2, because most directory vendors ignore the string
1509 representation of certificates defined in RFC 1778, you should add this
1510 value to the directory like this:
1511
1512 $res = $ldap->modify("cn=My User, o=My Company,c=XY",
1513 add => [
1514 'userCertificate' => [ $cert ]
1515 ]);
1516 die "Modify failed (" . ldap_error_name($res->code) . ")\n"
1517 if $res->code;
1518
1519 For LDAPv3, you must do this instead:
1520
1521 $res = $ldap->modify("cn=My User, o=My Company, c=XY",
1522 add => [
1523 'userCertificate;binary' => [ $cert ]
1524 ]);
1525 die "Modify failed (" . ldap_error_name($res->code) . ")\n"
1526 if $res->code;
1527
1528 Of course, the entry you are trying to add the certificate to must use
1529 object classes that permit the userCertificate attribute, otherwise the
1530 modify will fail with an object class violation error. The
1531 inetOrgPerson structural object class permits userCertificates, as does
1532 the strongAuthenticationUser auxiliary object class. Others might also.
1533
1534 How do I search objects by the contents of certificates.
1535 The directory needs to support one or more of the certificate*Match
1536 matching rules.
1537
1538 Then using the filter (for certificateExactMatch)
1539
1540 (userCertificate={ serialNumber 1234, issuer "cn=CA,o=TrustCenter" })
1541
1542 allows searching for the objects containing the attribute
1543 userCertificate with a certificate matching these criteria.
1544
1545 Please note that the exact syntax of the values for the serialNumber
1546 and the issuer above may depend on the LDAP server. In any case the
1547 example above works with OpenLDAP 2.4.33.
1548
1550 URLs.
1551 Net::LDAP::Server - LDAP server framework in Perl
1552 http://search.cpan.org/search?module=Net::LDAP::Server
1553 https://github.com/alexrj/Net-LDAP-Server
1554
1555 Net::LDAP::SimpleServer - LDAP server in Perl
1556 http://search.cpan.org/search?module=Net::LDAP::SimpleServer
1557 https://github.com/russoz/Net-LDAP-SimpleServer
1558
1559 LemonLDAP::NG - Web SingleSignOn solution & SAML IdP in Perl
1560 http://lemonldap-ng.org/
1561
1562 Dancer::Plugin::LDAP - LDAP plugin for Dancer micro framework
1563 http://search.cpan.org/search?module=Dancer::Plugin::LDAP
1564 https://github.com/racke/Dancer-Plugin-LDAP
1565
1566 Directory Services Mark Language (DSML)
1567 http://www.oasis-open.org/specs/
1568
1569 eMailman LDAP information http://www.emailman.com/ldap/
1570
1571 Rafael Corvalan's LDAP shell http://sf.net/projects/ldapsh
1572
1573 Jeff Hodges's Kings Mountain LDAP
1574 http://www.kingsmountain.com/ldapRoadmap.shtml (outdated: last update
1575 was in 2004)
1576
1577 willeke.com's LDAP Wiki http://ldapwiki.willeke.com/wiki/LDAP
1578
1579 OpenLDAP Directory Server - open source LDAP server.
1580 http://www.openldap.org/
1581
1582 389 Directory Server - open source LDAP server http://port389.org/
1583
1584 ApacheDS - open source LDAP server in Java http://directory.apache.org/
1585
1586 CriticalPath http://www.cp.net/
1587
1588 ForgeRock's OpenDS - LDAPv3 server with additional REST APIs
1589 http://www.forgerock.com/opendj.html
1590
1591 IBM Tivoli Directory Server
1592 http://www-01.ibm.com/software/tivoli/products/directory-server/
1593
1594 Isode (was MessagingDirect) http://www.isode.com/
1595
1596 Nexor's X.500 and Internet Directories
1597 http://www.nexor.com/info/directory.htm/
1598
1599 Novell's eDirectory http://www.novell.com/
1600
1601 Octet String http://www.octetstring.com/
1602
1603 SUN JAVA JNDI (Java Naming and Directory Interface)
1604 http://java.sun.com/products/jndi/overview.html
1605
1606 Oracle Directory Server Enterprise Edition, formerly Sun One, formerly
1607 iPlanet.
1608 http://www.oracle.com/technetwork/middleware/id-mgmt/index-085178.html
1609
1610 OptimalIDM - Virtual Identity Server - .NET LDAP virtual directory
1611 http://www.optimalidm.com/products/vis/Virtual-Directory-Server-VDS.aspx
1612
1613 Quest One Quick Connect Virtual Directory Server - LDAP virtual
1614 directory
1615 http://www.quest.com/quest-one-quick-connect-virtual-directory-server/
1616
1617 UnboundID's Identity data platform https://www.unboundid.com/
1618
1619 Virtual Directory Blogger https://virtualdirectory.wordpress.com/
1620
1621 eldapo - a directory manager's blog http://eldapo.blogspot.de/
1622
1623 Eine deutsche LDAP Website A german LDAP Website
1624 http://verzeichnisdienst.de/ldap/Perl/index.html
1625
1626 (non-exhaustive) list of LDAP software on Wikipedia
1627 http://en.wikipedia.org/wiki/List_of_LDAP_software
1628
1629 "RFC Sourcebook" on LDAP
1630 http://www.networksorcery.com/enp/protocol/ldap.htm
1631
1632 web2ldap - WWW gateway to LDAP server in Python http://www.web2ldap.de/
1633
1634 Softerra LDAP Browser / Administrator http://www.ldapbrowser.com/
1635
1636 The 2 following URLs deal mainly with Microsoft's Active Directory.
1637
1638 Directory Works http://directoryworks.com/
1639
1640 LDAP Client .Net & ActiveX LDAP Client
1641 http://www.ldapservices.com/Products/Default.aspx
1642
1643 BOOKS
1644 Developing LDAP and ADSI Clients for Microsoft(R) Exchange. By Sven B.
1645 Schreiber. ISBN: 0201657775
1646
1647 Implementing LDAP. By Mark Wilcox. ISBN: 1861002211
1648
1649 LDAP: Programming Directory-Enabled Applications With Lightweight
1650 Directory Access Protocol. By Tim Howes, Mark Smith. ISBN:
1651 1578700000
1652
1653 LDAP Programming; Directory Management and Integration. By Clayton
1654 Donley. ISBN: 1884777910
1655
1656 LDAP Programming with Java. By Rob Weltman, Tony Dahbura. ISBN:
1657 0201657589
1658
1659 LDAP System Administration. By Gerald Carter. ISBN: 1565924916
1660
1661 Managing Enterprise Active Directory Services. By Robbie Allen,
1662 Richard Puckett. ISBN: 0672321254
1663
1664 Solaris and LDAP Naming Services. By Tom Bialaski, Michael Haines.
1665 ISBN: 0-13-030678-9
1666
1667 Understanding and Deploying LDAP Directory Services (2ed). By Tim
1668 Howes, Mark Smith, Gordon Good. ISBN: 0672323168
1669
1670 LDAP Directories Explained. By Brian Arkills. ISBN 0-201-78792-X
1671
1673 Any good FAQ is made up of many authors, everyone that contributes
1674 information to the perl-ldap mail list is a potential author.
1675
1676 An attempt to maintain this FAQ is being done by Chris Ridd
1677 <chris.ridd@isode.com> and Peter Marschall <peter@adpm.de>. It was
1678 previously updated by Clif Harden <charden@pobox.com>.
1679
1680 The original author of this FAQ was Graham Barr <gbarr@pobox.com>
1681
1682 Please report any bugs, or post any suggestions, to the perl-ldap
1683 mailing list <perl-ldap@perl.org>.
1684
1686 Copyright (c) 1999-2004 Graham Barr, (c) 2012 Peter Marschall. All
1687 rights reserved. This document is distributed, and may be
1688 redistributed, under the same terms as Perl itself.
1689
1690
1691
1692perl v5.28.0 2015-04-06 Net::LDAP::FAQ(3)