1ldap(n)                           LDAP client                          ldap(n)
2
3
4
5______________________________________________________________________________
6

NAME

8       ldap - LDAP client
9

SYNOPSIS

11       package require Tcl  8.4
12
13       package require ldap  ?1.9.2?
14
15       ::ldap::connect host ?port?
16
17       ::ldap::secure_connect host ?port? ?verify_cert? ?sni_servername?
18
19       ::ldap::disconnect handle
20
21       ::ldap::starttls  handle  ?cafile?  ?certfile?  ?keyfile? ?verify_cert?
22       ?sni_servername?
23
24       ::ldap::bind handle ?name? ?password?
25
26       ::ldap::bindSASL handle ?name? ?password?
27
28       ::ldap::unbind handle
29
30       ::ldap::search handle baseObject filterString attributes options
31
32       ::ldap::searchInit handle baseObject filterString attributes options
33
34       ::ldap::searchNext handle
35
36       ::ldap::searchEnd handle
37
38       ::ldap::modify handle dn attrValToReplace ?attrToDelete? ?attrValToAdd?
39
40       ::ldap::modifyMulti handle dn attrValToReplace ?attrValToDelete? ?attr‐
41       ValToAdd?
42
43       ::ldap::add handle dn attrValueTuples
44
45       ::ldap::addMulti handle dn attrValueTuples
46
47       ::ldap::delete handle dn
48
49       ::ldap::modifyDN handle dn newrdn ?deleteOld? ?newSuperior?
50
51       ::ldap::info ip handle
52
53       ::ldap::info bound handle
54
55       ::ldap::info bounduser handle
56
57       ::ldap::info connections
58
59       ::ldap::info tls handle
60
61       ::ldap::info saslmechanisms handle
62
63       ::ldap::info control handle
64
65       ::ldap::info extensions extensions
66
67       ::ldap::info whoami handle
68
69______________________________________________________________________________
70

DESCRIPTION

72       The ldap package provides a Tcl-only client library for the LDAPv3 pro‐
73       tocol    as    specified    in    RFC     4511     (http://www.rfc-edi
74       tor.org/rfc/rfc4511.txt).  It works by opening the standard (or secure)
75       LDAP socket on the server, and then providing a Tcl API to  access  the
76       LDAP  protocol  commands.  All server errors are returned as Tcl errors
77       (thrown) which must be caught with the Tcl catch command.
78

TLS SECURITY CONSIDERATIONS

80       This package uses the TLS package to handle the security for https urls
81       and other socket connections.
82
83       Policy  decisions like the set of protocols to support and what ciphers
84       to use are not the responsibility of TLS, nor of  this  package  itself
85       however.   Such  decisions are the responsibility of whichever applica‐
86       tion is using the package, and are likely  influenced  by  the  set  of
87       servers the application will talk to as well.
88
89       For  example,  in light of the recent POODLE attack [http://googleonli
90       nesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-
91       ssl-30.html] discovered by Google many servers will disable support for
92       the SSLv3 protocol.  To handle this change the applications  using  TLS
93       must  be  patched,  and not this package, nor TLS itself.  Such a patch
94       may be as simple as generally activating tls1 support, as shown in  the
95       example below.
96
97
98                  package require tls
99                  tls::init -tls1 1 ;# forcibly activate support for the TLS1 protocol
100
101                  ... your own application code ...
102
103

COMMANDS

105       ::ldap::connect host ?port?
106              Opens  a  LDAPv3  connection to the specified host, at the given
107              port, and returns a token for the connection. This token is  the
108              handle  argument for all other commands. If no port is specified
109              it will default to 389.
110
111              The command blocks until the connection has been established, or
112              establishment definitely failed.
113
114       ::ldap::secure_connect host ?port? ?verify_cert? ?sni_servername?
115              Like  ::ldap::connect, except that the created connection is se‐
116              cured by SSL. The port defaults to 636.  This command depends on
117              the  availability of the package TLS, which is a SSL binding for
118              Tcl. If TLS is not available, then this command will fail.
119
120              The command blocks until the connection has been established, or
121              establishment definitely failed.
122
123              If  verify_cert is set to 1, the default, this checks the server
124              certificate against the known hosts. If sni_servername  is  set,
125              the given hostname is used as the hostname for Server Name Indi‐
126              cation in the TLS handshake.
127
128              Use ::tls::init to setup defaults for trusted certificates.
129
130
131                  tls::init -cadir /etc/ssl/certs/ca-certificates.crt
132
133
134       TLS supports different protocol levels. In common use are the  versions
135       1.0,  1.1  and  1.2.  By default all those versions are offered. If you
136       need to modify the acceptable protocols, you can change the ::ldap::tl‐
137       sProtocols list.
138
139       ::ldap::disconnect handle
140              Closes  the  ldap connection refered to by the token handle. Re‐
141              turns the empty string as its result.
142
143       ::ldap::starttls handle  ?cafile?  ?certfile?  ?keyfile?  ?verify_cert?
144       ?sni_servername?
145              Start  TLS negotiation on the connection denoted by handle.  You
146              need to set at least the cafile argument to a file with  trusted
147              certificates,  if  verify_cert  is 1, which is the default.  The
148              sni_servername can be used to signal a different hostname during
149              the  TLS  handshake.   The announced protocols are determined in
150              the same way as ::ldap::secure_connect.  You can specify  a  TLS
151              client certificate with the certfile and keyfile options.
152
153       ::ldap::bind handle ?name? ?password?
154              This command authenticates the ldap connection refered to by the
155              token in handle, with a user name and  associated  password.  It
156              blocks until a response from the ldap server arrives. Its result
157              is the empty string.  Both name and passwd default to the  empty
158              string  if  they  are  not  specified.   By leaving out name and
159              passwd you can make an anonymous bind to the ldap  server.   You
160              can issue ::ldap::bind again to bind with different credentials.
161
162       ::ldap::bindSASL handle ?name? ?password?
163              This  command uses SASL authentication mechanisms to do a multi‐
164              stage  bind.   Its   otherwise   identical   to   the   standard
165              ::ldap::bind.   This  feature is currently experimental and sub‐
166              ject to change. See the  documentation  for  the  SASL  and  the
167              "SASL.txt" in the tcllib CVS repository for details how to setup
168              and use SASL with openldap.
169
170       ::ldap::unbind handle
171              This command asks the ldap server to release the last bind  done
172              for  the connection refered to by the token in handle.  The han‐
173              dle is invalid after the unbind, as the server closes  the  con‐
174              nection.   So  this  is effectivly just a more polite disconnect
175              operation.
176
177       ::ldap::search handle baseObject filterString attributes options
178              This command performs a LDAP search below  the  baseObject  tree
179              using  a complex LDAP search expression filterString and returns
180              the specified attributes of all matching objects (DNs).  If  the
181              list  of  attributes  was empty all attributes are returned. The
182              command blocks until it has received all results.  The valid op‐
183              tions  are  identical  to  the  options listed for ::ldap::sear‐
184              chInit.
185
186              An example of a search expression is
187
188
189
190                  set filterString "|(cn=Linus*)(sn=Torvalds*)"
191
192
193       The return value of the command is a list of nested  dictionaries.  The
194       first  level  keys are object identifiers (DNs), second levels keys are
195       attribute names. In other words, it is in the form
196
197
198
199                  {dn1 {attr1 {val11 val12 ...} attr2 {val21...} ...}} {dn2 {a1 {v11 ...} ...}} ...
200
201
202
203       ::ldap::searchInit handle baseObject filterString attributes options
204              This command initiates a LDAP search below the  baseObject  tree
205              using a complex LDAP search expression filterString.  The search
206              gets the specified attributes of  all  matching  objects  (DNs).
207              The  command  itself just starts the search, to retrieve the ac‐
208              tual results, use ::ldap::searchNext.  A search  can  be  termi‐
209              nated  at any time by ::ldap::searchEnd. This informs the server
210              that no further results should be sent by  sending  and  ABANDON
211              message  and  cleans  up the internal state of the search.  Only
212              one ::ldap::search can be active at a given time, this  includes
213              the    introspection   commands   ::ldap::info   saslmechanisms,
214              ldap::info control and ldap::info  extensions,  which  invoke  a
215              search internally.  Error responses from the server due to wrong
216              arguments  or  similar  things  are  returned  with  the   first
217              ::ldap::searchNext  call  and  should be checked and dealed with
218              there.  If the list of requested attributes  is  empty  all  at‐
219              tributes  will be returned.  The parameter options specifies the
220              options to be used in the search, and has the following format:
221
222
223
224                  {-option1 value1 -option2 value2 ... }
225
226
227       Following options are available:
228
229              -scope base one sub
230                     Control the scope of the search to be one of  base,  one,
231                     or sub,  to  specify  a  base object,  one-level or  sub‐
232                     tree  search.   The  default is sub.
233
234              -derefaliases never search find always
235                     Control how aliases dereferencing is done.  Should be one
236                     of  never,  always,  search,   or   find  to specify that
237                     aliases  are  never  dereferenced,  always  dereferenced,
238                     dereferenced  when  searching,  or dereferenced only when
239                     locating the base object for the search.  The default  is
240                     to never dereference aliases.
241
242              -sizelimit num
243                     Determines  the  maximum number of entries to return in a
244                     search. If specified as  0  no  limit  is  enforced.  The
245                     server  may  enforce a configuration dependent sizelimit,
246                     which may be lower than the one given by this option. The
247                     default is 0, no limit.
248
249              -timelimit seconds
250                     Asks  the  server  to  use a timelimit of seconds for the
251                     search. Zero means no limit. The default is 0, no limit.
252
253              -attrsonly boolean
254                     If set to 1 only the attribute names but not  the  values
255                     will  be present in the search result.  The default is to
256                     retrieve attribute names and values.
257
258              -referencevar varname
259                     If set the search result reference LDAPURIs, if any,  are
260                     returned  in the given variable.  The caller can than de‐
261                     cide to follow those  references  and  query  other  LDAP
262                     servers for further results.
263
264
265       ::ldap::searchNext handle
266              This command returns the next entry from a LDAP search initiated
267              by ::ldap::searchInit. It returns only after a new result is re‐
268              ceived  or when no further results are available, but takes care
269              to keep the event loop alive.  The returned entry is a list with
270              two  elements:  the  first is the DN of the entry, the second is
271              the list of attributes and values, under the format:
272
273
274
275                  dn {attr1 {val11 val12 ...} attr2 {val21...} ...}
276
277
278       The ::ldap::searchNext command returns an empty list at the end of  the
279       search.
280
281
282       ::ldap::searchEnd handle
283              This command terminates a LDAP search initiated by ::ldap::sear‐
284              chInit. It also cleans up the internal state so a new search can
285              be  initiated.   If the client has not yet received all results,
286              the client sends an ABANDON message to inform the server that no
287              further results for the previous search should to be sent.
288
289
290       ::ldap::modify handle dn attrValToReplace ?attrToDelete? ?attrValToAdd?
291              This  command  modifies  the object dn on the ldap server we are
292              connected to via handle. It replaces attributes with new values,
293              deletes  attributes,  and  adds  new attributes with new values.
294              All arguments are dictionaries mapping attribute names  to  val‐
295              ues.  The  optional  arguments  default to the empty dictionary,
296              which means that no attributes will be deleted nor added.
297
298              dictionary attrValToReplace (in)
299                     No attributes will be changed if this argument is  empty.
300                     The dictionary contains the new attributes and their val‐
301                     ues. They replace all attributes known to the object.
302
303              dictionary attrToDelete (in)
304                     No attributes will be deleted if this argument is  empty.
305                     The  dictionary  values are restrictions on the deletion.
306                     An attribute listed here will be deleted if and  only  if
307                     its  current value at the server matches the value speci‐
308                     fied in the dictionary, or if the value in the dictionary
309                     is the empty string.
310
311              dictionary attrValToAdd (in)
312                     No  attributes  will  be added if this argument is empty.
313                     The dictionary values are the  values  for  the  new  at‐
314                     tributes.
315
316       The  command  blocks until all modifications have completed. Its result
317       is the empty string.
318
319       ::ldap::modifyMulti handle dn attrValToReplace ?attrValToDelete? ?attr‐
320       ValToAdd?
321              This  command  modifies  the object dn on the ldap server we are
322              connected to via handle. It replaces attributes with new values,
323              deletes  attributes,  and  adds  new attributes with new values.
324              All arguments are lists with the format:
325
326
327
328                  attr1 {val11 val12 ...} attr2 {val21...} ...
329
330
331       where each value list may be empty for deleting  all  attributes.   The
332       optional  arguments  default to empty lists of attributes to delete and
333       to add.
334
335              list attrValToReplace (in)
336                     No attributes will be changed if this argument is  empty.
337                     The dictionary contains the new attributes and their val‐
338                     ues. They replace all attributes known to the object.
339
340              list attrValToDelete (in)
341                     No attributes will be deleted if this argument is  empty.
342                     If  no value is specified, the whole set of values for an
343                     attribute will be deleted.
344
345              list attrValToAdd (in)
346                     No attributes will be added if this argument is empty.
347
348       The command blocks until all modifications have completed.  Its  result
349       is the empty string.
350
351       ::ldap::add handle dn attrValueTuples
352              This  command  creates  a new object using the specified dn. The
353              attributes of the new object are set to the values in  the  list
354              attrValueTuples.   Multiple valuated attributes may be specified
355              using multiple tuples.  The command blocks until  the  operation
356              has completed. Its result is the empty string.
357
358       ::ldap::addMulti handle dn attrValueTuples
359              This  command  is the preferred one to create a new object using
360              the specified dn. The attributes of the new object  are  set  to
361              the  values in the dictionary attrValueTuples (which is keyed by
362              the attribute names).  Each tuple is a list containing  multiple
363              values.   The  command blocks until the operation has completed.
364              Its result is the empty string.
365
366       ::ldap::delete handle dn
367              This command removes the object specified by dn, and all its at‐
368              tributes  from  the server.  The command blocks until the opera‐
369              tion has completed. Its result is the empty string.
370
371       ::ldap::modifyDN handle dn newrdn ?deleteOld? ?newSuperior?
372              This command moves or copies the object specified by dn to a new
373              location  in  the  tree of object. This location is specified by
374              newrdn, a relative designation, or by newrdn and newSuperior,  a
375              absolute  designation.  The optional argument deleteOld defaults
376              to true, i.e. a move operation. If deleteOld is  not  set,  then
377              the operation will create a copy of dn in the new location.  The
378              optional argument newSuperior defaults an empty string,  meaning
379              that  the  object must not be relocated in another branch of the
380              tree. If this argument is given, the argument deleteOld must  be
381              specified also.  The command blocks until the operation has com‐
382              pleted. Its result is the empty string.
383
384       ::ldap::info ip handle
385              This command returns the IP address of the  remote  LDAP  server
386              the handle is connected to.
387
388       ::ldap::info bound handle
389              This  command returns 1 if a handle has successfully completed a
390              ::ldap::bind.  If no bind was done or it  failed,  a  0  is  re‐
391              turned.
392
393       ::ldap::info bounduser handle
394              This  command returns the username used in the bind operation if
395              a handle has successfully completed a ::ldap::bind.  If no bound
396              was done or it failed, an empty string is returned.
397
398       ::ldap::info connections
399              This command returns all currently existing ldap connection han‐
400              dles.
401
402       ::ldap::info tls handle
403              This command returns  1  if  the  ldap  connection  handle  used
404              TLS/SSL  for  connection  via  ldap::secure_connect or completed
405              ldap::starttls, 0 otherwise.
406
407       ::ldap::info saslmechanisms handle
408              Return the supported SASL mechanisms advertised by  the  server.
409              Only valid in a bound state (anonymous or other).
410
411       ::ldap::info control handle
412              Return the supported controls advertised by the server as a list
413              of OIDs. Only valid in a bound state.  This is currently experi‐
414              mental and subject to change.
415
416       ::ldap::info extensions extensions
417              Returns  the  supported  LDAP  extensions  as list of OIDs. Only
418              valid in a bound state.  This is currently experimental and sub‐
419              ject to change.
420
421       ::ldap::info whoami handle
422              Returns  authzId for the current connection. This implements the
423              RFC 4532 protocol extension.
424

EXAMPLES

426       A small example, extracted from the test application coming  with  this
427       code.
428
429                  package require ldap
430
431                  # Connect, bind, add a new object, modify it in various ways
432
433                  set handle [ldap::connect localhost 9009]
434
435                  set dn "cn=Manager, o=University of Michigan, c=US"
436                  set pw secret
437
438                  ldap::bind $handle $dn $pw
439
440                  set dn "cn=Test User,ou=People,o=University of Michigan,c=US"
441
442                  ldap::add $handle $dn {
443                objectClass     OpenLDAPperson
444                cn              {Test User}
445                mail            test.user@google.com
446                uid             testuid
447                sn              User
448                telephoneNumber +31415926535
449                telephoneNumber +27182818285
450                  }
451
452                  set dn "cn=Another User,ou=People,o=University of Michigan,c=US"
453
454                  ldap::addMulti $handle $dn {
455                objectClass     {OpenLDAPperson}
456                cn              {{Anotther User}}
457                mail            {test.user@google.com}
458                uid             {testuid}
459                sn              {User}
460                telephoneNumber {+31415926535 +27182818285}
461                  }
462
463                  # Replace all attributes
464                  ldap::modify $handle $dn [list drink icetea uid JOLO]
465
466                  # Add some more
467                  ldap::modify $handle $dn {} {} [list drink water  drink orangeJuice pager "+1 313 555 7671"]
468
469                  # Delete
470                  ldap::modify $handle $dn {} [list drink water  pager ""]
471
472                  # Move
473                  ldap::modifyDN $handle $dn "cn=Tester"
474
475                  # Kill the test object, and shut the connection down.
476                  set dn "cn=Tester,ou=People,o=University of Michigan,c=US"
477                  ldap::delete $handle $dn
478
479                  ldap::unbind     $handle
480                  ldap::disconnect $handle
481
482
483       And a another example, a simple query, and processing the results.
484
485                  package require ldap
486                  set handle [ldap::connect ldap.acme.com 389]
487                  ldap::bind $handle
488                  set results [ldap::search $handle "o=acme,dc=com" "(uid=jdoe)" {}]
489                  foreach result $results {
490                foreach {object attributes} $result break
491
492                # The processing here is similar to what 'parray' does.
493                # I.e. finding the longest attribute name and then
494                # generating properly aligned output listing all attributes
495                # and their values.
496
497                set width 0
498                set sortedAttribs {}
499                foreach {type values} $attributes {
500                    if {[string length $type] > $width} {
501                   set width [string length $type]
502                    }
503                    lappend sortedAttribs [list $type $values]
504                }
505
506                puts "object='$object'"
507
508                foreach sortedAttrib  $sortedAttribs {
509                    foreach {type values} $sortedAttrib break
510                    foreach value $values {
511                   regsub -all "\[\x01-\x1f\]" $value ? value
512                   puts [format "  %-${width}s %s" $type $value]
513                    }
514                }
515                puts ""
516                  }
517                  ldap::unbind $handle
518                  ldap::disconnect $handle
519
520

BUGS, IDEAS, FEEDBACK

522       This  document,  and the package it describes, will undoubtedly contain
523       bugs and other problems.  Please report such in the  category  ldap  of
524       the  Tcllib  Trackers  [http://core.tcl.tk/tcllib/reportlist].   Please
525       also report any ideas for enhancements you may have for either  package
526       and/or documentation.
527
528       When proposing code changes, please provide unified diffs, i.e the out‐
529       put of diff -u.
530
531       Note further that  attachments  are  strongly  preferred  over  inlined
532       patches.  Attachments  can  be  made  by  going to the Edit form of the
533       ticket immediately after its creation, and  then  using  the  left-most
534       button in the secondary navigation bar.
535

KEYWORDS

537       directory  access, internet, ldap, ldap client, protocol, rfc 2251, rfc
538       4511, x.500
539

CATEGORY

541       Networking
542
544       Copyright (c) 2004 Andreas Kupries <andreas_kupries@users.sourceforge.net>
545       Copyright (c) 2004 Jochen Loewer <loewerj@web.de>
546       Copyright (c) 2006 Michael Schlenker <mic42@users.sourceforge.net>
547
548
549
550
551tcllib                               1.9.2                             ldap(n)
Impressum