How Data Is Stored in LDAP
Searching an LDAP Directory with Net::LDAP
Adding an Entry to the Directory with Net::LDAP
Net::LDAP Methods
LDAP was designed as a client/server protocol to provide quick and simple access to entries that live in a directory. Initially, LDAP was designed to provide a better interface to X.500 directory services, but its ease of implementation and IETF-based change control means that LDAP has carved its own niche as a directory service.
What is a directory service? In short, the directory is where you store an entry. Each entry implements information about an object. Entries have attributes with a type and at least one value. These attributes have a strict syntax that determines the types of values allowed for the attributes. Such attribute syntaxes include strings, JPEG photographs, and URLs.
If you've ever tried to solve a complex problem in a heterogenous computing environment, such as syncing user accounts between different computing platforms, managing a company-wide address book, or building a public-key infrastructure, you might be interested in what LDAP has to offer.
While the IETF governs changes to the LDAP spec, you are not limited to a single source for the availability of an LDAP server. Companies such as iPlanet, Novell, and Microsoft sell commercial LDAP implementations, and you'll also find a good, free LDAP implemenation in OpenLDAP (http://www.openldap.org).
Net::LDAP implements the LDAP API for Perl programs. You can use Net::LDAP to search or modify the contents of your LDAP directory. In other words, Net::LDAP does everything that you need it to.
This chapter covers Net::LDAP and how to operate on data in an LDAP directory, but it is not an LDAP tutorial. If you're unfamiliar with LDAP, it is strongly encouraged that you refer to your LDAP server documentation before attempting to make any changes to your directory.
LDAP stores data in a structure as described in RFC 1617, which also offers guidelines as to how your naming style might look. While there are many ways to implement a data hierarchy in LADP, you can implement your directory structure so that all entries live under a single root that represents your organization. For example, you can import all your Unix account data for your.domain into a directory server with the following:
object: your.domain Organizational Unit: People Type for login name: uid
Your Unix account information would be stored in LDAP like so:
uid=youruser,ou=People,o=your.domain
At the simplest level, data as imported into LDAP by way of the LDAP Directory Interchange Format (LDIF). LDIF is a standard data format that specifies all the information about a record that you will insert into the directory. Take, for instance, a Unix account that lives in /etc/passwd:
nvp:-password-:1000:1000:Nathan V. Patwardhan:/home/nvp:/usr/bin/bash
When you break the password entry down, the following fields exist:
login nvp password -password- uid 1000 gid 1000 gecos Nathan V. Patwardhan home directory /users/nvp shell /usr/bin/bash
The Unix /etc/passwd entries correspond to entries that you've created in LDAP, with the following naming differences:
UNIX LDAP equivalent login uid password userPassword uid uidNumber gid gidNumber gecos cn, gecos home directory homeDirectory shell loginShell
Every LDIF begins with a DN, or distinguished name, which describes where the entry will live in the directory. Without the distinguished name, the LDIF is invalid. Unix accounts might live under ou=People, while addressbook entries might live under ou=Addresses. The LDIF also contains all of the attributes for a given entry and their corresponding values. For the Unix password entry shown above, the LDIF would look like:
dn: uid=nvp,ou=People,o=your.domain uid: nvp cn: Nathan Patwardhan givenname: Nathan sn: Patwardhan objectClass: person objectClass: organizationalPerson objectClass: account objectClass: shadowAccount objectClass: top userPassword: {crypt}/-password- loginShell: /usr/bin/bash uidNumber: 1000 gidNumber: 1000 homeDirectory: /users/nvp
Net::LDAP can output an LDIF file for the data that you give it (from which you can use a tool such as ldapadd to add it to the directory) or add the record to the directory.
Copyright © 2002 O'Reilly & Associates. All rights reserved.