home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam    

Book HomePHP CookbookSearch this book

17.8. Looking Up Addresses with LDAP

17.8.3. Discussion

LDAP stands for Lightweight Directory Access Protocol. An LDAP server stores directory information, such as names and addresses, and allows you to query it for results. In many ways, it's like a database, except that it's optimized for storing information about people.

In addition, instead of the flat structure provided by a database, an LDAP server allows you to organize people in a hierarchical fashion. For example, employees may be divided into marketing, technical, and operations divisions, or they can be split regionally into North America, Europe, and Asia. This makes it easy to find all employees of a particular subset of a company.

When using LDAP, the address repository is called as a data source. Each entry in the repository has a globally unique identifier, known as a distinguished name. The distinguished name includes both a person's name, but also their company information. For instance, John Q. Smith, who works at Example Inc., a U.S. company has a distinguished name of cn=John Q. Smith, o=Example Inc., c=US. In LDAP, cn stands for common name, o for organization, and c for country.

You must enable PHP's LDAP support with --with-ldap. You can download an LDAP server from http://www.openldap.org. This recipe assumes basic knowledge about LDAP. For more information, read the articles on the O'Reilly Network at http://www.onlamp.com/topics/apache/ldap.

Communicating with an LDAP server requires four steps: connecting, authenticating, searching records, and logging off. Besides searching, you can also add, alter, and delete records.

The opening transactions require you to connect to an specific LDAP server and then authenticate yourself in a process known as binding:

$ds = ldap_connect('ldap.example.com')                 or die($php_errormsg);
ldap_bind($ds)                                         or die($php_errormsg);

Passing only the connection handle, $ds, to ldap_bind( ) does an anonymous bind. To bind with a specific username and password, pass them as the second and third parameters, like so:

ldap_bind($ds, $username, $password)                   or die($php_errormsg);

Once logged in, you can request information. Because the information is arranged in a hierarchy, you need to indicate the base distinguished name as the second parameter. Finally, you pass in the search criteria. For example, here's how to find all people with a surname of Jones at company Example Inc. located in the country US:

$sr = ldap_search($ds, 'o=Example Inc., c=US', 'sn=Jones') or die($php_errormsg);
$e  = ldap_get_entries($ds, $sr)                           or die($php_errormsg);

Once ldap_search( ) returns results, use ldap_get_entries( ) to retrieve the specific data records. Then iterate through the array of entries, $e:

for ($i=0; $i < $e['count']; $i++) {
    echo $e[$i]['cn'][0] . ' (' . $e[$i]['mail'][0] . ')<br>';

Instead of doing count($e), use the precomputed record size located in $e['count']. Inside the loop, print the first common name and email address for each record. For example:

David Sklar (sklar@example.com)
Adam Trachtenberg (adam@example.com)

The ldap_search( ) function searches the entire tree equal to and below the distinguished name base. To restrict the results to a specific level, use ldap_list( ). Because the search takes place over a smaller set of records, ldap_list( ) can be significantly faster than ldap_search( ).

17.8.4. See Also

Section 17.8 for authenticating users with LDAP; documentation on LDAP at http://www.php.net/ldap; RFC 2251 at http://www.faqs.org/rfcs/rfc2251.html.

Library Navigation Links

Copyright © 2003 O'Reilly & Associates. All rights reserved.