Net::LDAP -- Lightweight Directory Access Protocol


NAME

Net::LDAP -- Lightweight Directory Access Protocol


SUPPORTED PLATFORMS


SYNOPSIS

 use Net::LDAP;
 $ldap = Net::LDAP->new('ldap.bigfoot.com') or die "$@";
 $ldap->bind ;    # an anonymous bind
 $mesg = $ldap->search (  # perform a search
                        base   => "c=US",
                        filter => "(&(sn=Barr) (o=Texas Instruments))"
                       );
 $mesg->code && die $mesg->error;
 foreach $entry ($mesg->all_entries) { $entry->dump; }
 $ldap->unbind;   # take down session

 $ldap = Net::LDAP->new('ldap.umich.edu');

 $ldap->bind (   # bind to a directory with dn and password
              dn       => 'cn=root, o=University of Michigan, c=us',
              password => 'secret'
             );
 $result = $ldap->add (
              dn   => 'cn = Barbara Jensen, o=University of Michigan, c=us',
              attr => [ 'cn'   => ['Barbara Jensen', 'Barbs Jensen'],
                        'sn    => 'Jensen',
                        'mail' => 'b.jensen@umich.edu'
                      ]
            );
  $result->code && warn "failed to add entry: ", $result->error ;


DESCRIPTION

Net::LDAP is a collection of modules that implements a LDAP services API for Perl programs. The module may be used to search directories or perform maintenance functions such as add, deleting or modify entries in an LDAP directory.

This document assumes that the reader has some knowledge of the LDAP protocol.


CONSTRUCTOR

new ( HOST [, OPTIONS ] )
Creates a new Net::LDAP object and opens a connection to the named host. OPTIONS is a list of key-value pairs, valid options are :-
port
Port to connect to on the remote server.

timeout
Timeout passed to IO::Socket when connecting the remote server. (Default: 120)

debug
If passed a non-zero value then debug data will be sent to STDERR. The bits of this value are :-
 1   Show outgoing packets.
 2   Show incoming packets.

async
Perform all operations asynchronously if passed a true value.

Example

  $ldap = Net::LDAP->new('remote.host', async => 1);


METHODS

Each of the following methods take as arguments some number of fixed parameters followed by options, these options are passed in a named fashion, for example

  $mesg = $ldap->bind( "me", password => "mypasswd");

The return value from these methods is an object derived from the the Net::LDAP::Message manpage class. The methods of this class allow you to examine the status of request.

abandon ( ID [, OPTIONS ] )
Request server to abandon a request. The id to abandon may be passed as the first parameter or as part of the options list. The ID may be a number or a object which is a sub-class of Net::LDAP::Message, returned from a previous method call.
id
This option is here for compatibility only, and may be removed in future. Previous releases did not take the ID argument which replaces this option.

control
See CONTROLS below

callback
See CALLBACKS below

Example

  $mesg = $ldap->search( @search_args );

  $ldap->abandon( $mesg ); # This could be written as $mesg->abandon
add ( DN [, OPTIONS ] )
Add an entry to the directory. The DN argument can be either a the Net::LDAP::Entry manpage object or a string.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

attrs
This argument is a reference to a list of attribute-value pairs. Attributes with multiple values can be added as either multiple entries or the value could be a reference to a list of values.

This argument is not used if DN is a the Net::LDAP::Entry manpage object.

control
See CONTROLS below

callback
See CALLBACKS below

Example

  # $entry is an object of class Net::LDAP::Entry
  $mesg = $ldap->add( $entry );

  $mesg = $ldap->add( $DN,
    attrs => [
      name  => 'Graham Barr',
      attr  => 'value1',
      attr  => 'value2',
      multi => [qw(value1 value2)]
    ]
  );
bind ( [ DN [, OPTIONS ]] )
Bind to the server. DN is the DN to bind as. An anonymous bind may be done by calling bind without any arguments.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

control
See CONTROLS below

callback
See CALLBACKS below

Only one of the following should be given, if none are given then noauth is assumed.

noauth
Bind without any password, the value passed with this option is ignored. This is the default if no password option is given.

password
Bind with the given password.

kerberos41
Bind using Kerberos V4.1 not supported.

kerberos42
Bind using Kerberos V4.2 not supported.

sasl
Bind using a SASL mechanism. The argument given should be a sub-class of the Authen::SASL manpage.

Example

  $ldap->bind; # Anonymous bind

  $ldap->bind( $DN, password => $password);

  # $sasl is an object of class Authen::SASL
  $ldap->bind( $DN, sasl => $sasl, version => 3);
compare ( DN, OPTIONS )
Perform a comparison on the server. DN is the DN which the comparison is to be performed. DN May be a string or a the Net::LDAP::Entry manpage object.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

attr
The name of the attribute to compare.

value
The value to compare with.

control
See CONTROLS below.

callback
See CALLBACKS below.

Example

  $ldap->compare( $DN,
    attr  => 'cn',
    value => 'Graham Barr'
  );
delete ( DN [, OPTIONS ] )
Delete DN from the server. DN May be a string or a the Net::LDAP::Entry manpage object.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

control
See CONTROLS below.

callback
See CALLBACKS below.

Example

 $ldap->delete( $dn );
moddn ( DN, OPTIONS )
Modify the DN for DN on the server. DN May be a string or a the Net::LDAP::Entry manpage object.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

newrdn
This value should be a new RDN to assign to DN.

deleteoldrdn
This value should be true if the existing RDN is to be deleted.

newsuperior
If given this value should be the DN of the new superior for DN.

control
See CONTROLS below.

callback
See CALLBACKS below.

Example

 $ldap->moddn( $dn, newrdn => 'cn=Graham Barr');
modify ( DN, OPTIONS )
Modify the contents of DN on the server. DN May be a string or a the Net::LDAP::Entry manpage object.
dn
This option is here for compatibility only, and may be removed in future. Previous releases did not take the DN argument which replaces this option.

add
The add option should be a reference to a HASH. The values of the HASH are the attributes to add, and the values may be a string or a reference to a list of values.

delete
A reference to an ARRAY of attributes to delete or a reference to a HASH (as in add) if only specific values should be deleted. If the value for any attribute in the HASH is a reference to an empty ARRAY the all instances of the attribute will be deleted.

replace
The <replace> option takes a argument in the same form as add, but will cause any existing attributes with the same name to be replaced. If the value for any attribute in the HASH is a reference to an empty ARRAY the all instances of the attribute will be deleted.

changes
This is an alternative to add, delete and replace where the whole operation can be given in a single argument. The argument should be a reference to an ARRAY.

Values in the ARRAY are used in pairs, the first is the operation add, delete or replace and the second is a reference to an ARRAY of attribute values.

The attribute value list is also used in pairs. The first value in each pair is the attribute name and the second is a reference to a list of values.

Use this form if you want to control the order in which the operations will be performed.

control
See CONTROLS below.

callback
See CALLBACKS below.

Example

 $ldap->modify( $dn, add => { sn => 'Barr' } );

 $ldap->modify( $dn, delete => [qw(faxNumber)]);

 $ldap->modify( $dn, delete => { 'telephoneNumber' => '911' });

 $ldap->modify( $dn, replace => { 'email' => 'gbarr@pobox.com' });

 $ldap->modify( $dn,
   changes => [
     add     => [ sn => 'Barr' ],              # Add sn=Barr
     delete  => [ faxNumber => []],            # Delete all fax numbers
     delete  => [ telephoneNumber => ['911']], # delete phone number 911
     replace => [ email => 'gbarr@pobox.com']  # change email address
   ]
 );
search ( OPTIONS )
The search method will return an object of class the Net::LDAP::Search manpage.
base
The base DN to start the search.

scope
The scope for the search. This can be one of base, one or sub or it can be the numeric value for each of these 0,1,2 respectively. The default is sub.

deref
What to do when a reference is found. This value can be one of never, search, find or always. Or it can be the numeric value fro each of these. The default is find.

sizelimit
Set the size limit for the response. zero means no limit. The default is no limit.

timelimit
Set the time limit for the response. zero means no limit. The default is no limit.

typesonly
If true then only the attribute type will be returned. Default is false.

filter
The filter to use for the search. This may be a string or a <Net::LDAP::Filter> object.

attrs
A reference to a list of attributes to be returned from the server. If not specified then all attributes will be returned.

control
See CONTROLS below.

callback
See CALLBACKS below.

Example

 $mesg = $ldap->search(
   base   => $base_dn,
   scope  => 'sub',
   filter => '(|(objectclass=rfc822mailgroup)(sn=jones))'
 );

 Net::LDAP::LDIF->new(\*STDOUT,"w")->write($mesg->entries);
unbind
The unbind method does not take any parameters and will unbind you from the server. You may then either re-bind with another DN and password or close the connection.

Example

 $ldap->unbind;

The following methods are for convenience.

async
Returns true if the LDAP operations are being performed asynchronously.

debug ( [ VALUE ] )
If VALUE is given the debug bit-value will be set to VALUE and the previous value will be returned. If not given the bit-value will remain unchanged and will be returned.

sync ( [ MESG ] )
Calling this method will synchronize the client with the server. It will not return until all requests have been completed, or id MESG is given it will return when MESG has been completed.

Returns an error code defined in the Net::LDAP::Constant manpage.

version
Returns the version of the LDAP protocol that is being used.


CONTROLS

Many of the methods described above accept a control option. This allows the user to pass controls to the server as described in LDAPv3. The value to the control argument may be either a HASH reference to a reference to an array of HASH references.

The HASH, or each HASH in the array may contain three elements.

type
This element must be present and is the name of the type of control being requested.

critical
critical is optional and should be a boolean value, if it is not specified then it is assumed to be false.

value
If the control being requested requires a value then this element should hold the value for the server.


CALLBACKS

Most of the above commands accept a callback option. This option should be a reference to a subroutine. This subroutine will be called for each packet received from the server as a response to the request sent.

When the subroutine is called the first argument will be the the Net::LDAP::Message manpage object which was returned from the method.

If the request is a search then multiple packets can be received from the server. Each entry is received as a separate packet. For each of these the subroutine will be called with a the Net::LDAP::Entry manpage object as the second argument.

During a search the server may also send a list of references. When such a list is received then the subroutine will be called with a the Net::LDAP::Reference manpage object as the second argument.


LDAP ERROR CODES

Net::LDAP also exports constants for the error codes that can be received from the server, see the Net::LDAP::Constant manpage.


SEE ALSO

the Net::LDAP::BER manpage, the Net::LDAP::Constant manpage, the Net::LDAP::Entry manpage, the Net::LDAP::Filter manpage, the Net::LDAP::Message manpage, the Net::LDAP::Reference manpage, the Net::LDAP::Search manpage, the URI::URL::ldap manpage,

The LDAP protocol is defined in the following RFC's

RFC-2251
Lightweight Directory Access Protocol (v3).

RFC-2252
Attribute Syntax Definitions.

RFC-2253
UTF-8 String Representation of Distinguished Names.

RFC-2254
The String Representation of LDAP Search Filters.

RFC-2255
The LDAP URL Format.

RFC-2256
A Summary of the X.500(96) User Schema for use with LDAPv3.

The homepage for the perl-ldap modules can be found at http://www.pobox.com/~gbarr/perl-ldap/.


ACKNOWLEDGEMENTS

This document is based on a document originally written by Russell Fulton <r.fulton@auckland.ac.nz>.

Chris Ridd @isode.com for the many hours spent testing and contribution of the ldap* command line utilities.


AUTHOR

Graham Barr <gbarr@pobox.com>

Please report any bugs, or post any suggestions, to the perl-ldap mailing list <perl-ldap@mail.med.cornell.edu>.


COPYRIGHT

Copyright (c) 1997-1999 Graham Barr. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

 Net::LDAP -- Lightweight Directory Access Protocol