home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  

Book HomeJava and XSLTSearch this book

Chapter 19. Lightweight Directory Access with Net::LDAP

LDAP was designed as a client/server protocol to provide quick and simple access to entries that live in a directory. Initially, LDAP was designed to provide a better interface to X.500 directory services, but its ease of implementation and IETF-based change control means that LDAP has carved its own niche as a directory service.

What is a directory service? In short, the directory is where you store an entry. Each entry implements information about an object. Entries have attributes with a type and at least one value. These attributes have a strict syntax that determines the types of values allowed for the attributes. Such attribute syntaxes include strings, JPEG photographs, and URLs.

If you've ever tried to solve a complex problem in a heterogenous computing environment, such as syncing user accounts between different computing platforms, managing a company-wide address book, or building a public-key infrastructure, you might be interested in what LDAP has to offer.

While the IETF governs changes to the LDAP spec, you are not limited to a single source for the availability of an LDAP server. Companies such as iPlanet, Novell, and Microsoft sell commercial LDAP implementations, and you'll also find a good, free LDAP implemenation in OpenLDAP (http://www.openldap.org).

Net::LDAP implements the LDAP API for Perl programs. You can use Net::LDAP to search or modify the contents of your LDAP directory. In other words, Net::LDAP does everything that you need it to.

This chapter covers Net::LDAP and how to operate on data in an LDAP directory, but it is not an LDAP tutorial. If you're unfamiliar with LDAP, it is strongly encouraged that you refer to your LDAP server documentation before attempting to make any changes to your directory.

19.1. How Data Is Stored in LDAP

LDAP stores data in a structure as described in RFC 1617, which also offers guidelines as to how your naming style might look. While there are many ways to implement a data hierarchy in LADP, you can implement your directory structure so that all entries live under a single root that represents your organization. For example, you can import all your Unix account data for your.domain into a directory server with the following:

object: your.domain
Organizational Unit: People
Type for login name: uid

Your Unix account information would be stored in LDAP like so:


At the simplest level, data as imported into LDAP by way of the LDAP Directory Interchange Format (LDIF). LDIF is a standard data format that specifies all the information about a record that you will insert into the directory. Take, for instance, a Unix account that lives in /etc/passwd:

nvp:-password-:1000:1000:Nathan V. Patwardhan:/home/nvp:/usr/bin/bash

When you break the password entry down, the following fields exist:

login           nvp
password        -password-
uid             1000
gid             1000
gecos           Nathan V. Patwardhan
home directory  /users/nvp
shell           /usr/bin/bash

The Unix /etc/passwd entries correspond to entries that you've created in LDAP, with the following naming differences:

UNIX            LDAP equivalent
login           uid
password        userPassword
uid             uidNumber
gid             gidNumber
gecos           cn, gecos
home directory  homeDirectory
shell           loginShell

Every LDIF begins with a DN, or distinguished name, which describes where the entry will live in the directory. Without the distinguished name, the LDIF is invalid. Unix accounts might live under ou=People, while addressbook entries might live under ou=Addresses. The LDIF also contains all of the attributes for a given entry and their corresponding values. For the Unix password entry shown above, the LDIF would look like:

dn: uid=nvp,ou=People,o=your.domain
uid: nvp
cn: Nathan Patwardhan
givenname: Nathan
sn: Patwardhan
objectClass: person
objectClass: organizationalPerson
objectClass: account
objectClass: shadowAccount
objectClass: top
userPassword:   {crypt}/-password-
loginShell:     /usr/bin/bash
uidNumber:      1000
gidNumber:      1000
homeDirectory:  /users/nvp

Net::LDAP can output an LDIF file for the data that you give it (from which you can use a tool such as ldapadd to add it to the directory) or add the record to the directory.

Library Navigation Links

Copyright © 2002 O'Reilly & Associates. All rights reserved.