• NAME
• SYNOPSIS
• DESCRIPTION
• CONSTRUCTOR
• METHODS
• CONTROLS
• CALLBACKS
• LDAP ERROR CODES
• SEE ALSO
• ACKNOWLEDGEMENTS
• MAILING LIST
• BUGS
• AUTHOR
• COPYRIGHT

---

NAME

Net::LDAP - Lightweight Directory Access Protocol

voltar para o topo

---

SYNOPSIS

 use Net::LDAP;

 $ldap = Net::LDAP->new( 'ldap.bigfoot.com' ) or die "$@";

 $mesg = $ldap->bind ;    # an anonymous bind

 $mesg = $ldap->search( # perform a search

                        base   => "c=US",

                        filter => "(&(sn=Barr) (o=Texas Instruments))"

                      );

 $mesg->code && die $mesg->error;

 foreach $entry ($mesg->entries) { $entry->dump; }

 $mesg = $ldap->unbind;   # take down session

 $ldap = Net::LDAP->new( 'ldap.umich.edu' );

 # bind to a directory with dn and password

 $mesg = $ldap->bind( 'cn=root, o=University of Michigan, c=us',

                      password => 'secret'

                    );

 $result = $ldap->add( 'cn=Barbara Jensen, o=University of Michigan, c=US',

                       attr => [

                         'cn'   => ['Barbara Jensen', 'Barbs Jensen'],

                         'sn'   => 'Jensen',

                         'mail' => 'b.jensen@umich.edu',

                         'objectclass' => ['top', 'person',

                                           'organizationalPerson',

                                           'inetOrgPerson' ],

                       ]

                     );

 $result->code && warn "failed to add entry: ", $result->error ;

 $mesg = $ldap->unbind;  # take down session

voltar para o topo

---

DESCRIPTION

Net::LDAP is a collection of modules that implements a LDAP services API for Perl programs. The module may be used to search directories or perform maintenance functions such as adding, deleting or modifying entries. This document assumes that the reader has some knowledge of the LDAP protocol.

voltar para o topo

---

CONSTRUCTOR

new ( HOST, OPTIONS )

Creates a new Net::LDAP object and opens a connection to the named host.

HOST may be a host name or an IP number. TCP port may be specified

after the host name followed by a colon (such as localhost:10389). The

default TCP port for LDAP is 389.

You can also specify a URI, such as 'ldaps://127.0.0.1:666' or

'ldapi://%2fvar%2flib%2fldap_sock'. Note that '%2f's in the LDAPI

socket path will be translated into '/'. This is to support LDAP query

options like base, search etc. although the query part of the URI will

be ignored in this context. If port was not specified in the URI, the

default is either 389 or 636 for 'LDAP' and 'LDAPS' schemes

respectively.

HOST may also be a reference to an array of hosts, host-port pairs

or URIs to try. Each will be tried in order until a connection is

made. Only when all have failed will the result of undef be

returned.

port => N

Port to connect to on the remote server. May be overridden by HOST.

timeout => N

Timeout passed to the IO::Socket manpage when connecting the remote server.

(Default: 120)

multihomed => N

Will be passed to the IO::Socket manpage as the MultiHomed parameter

when connecting to the remote server

localaddr => HOST

Will be passed to the IO::Socket manpage as the LocalAddr parameter, which

sets the client's IP address (as opposed to the server's IP address.)

debug => N

Set the debug level. See the debug method for details.

async => 1

Perform all operations asynchronously.

onerror => 'die' | 'warn' | undef | sub { ... }

In synchronous mode, change what happens when an error is detected.

'die'

Net::LDAP will croak whenever an error is detected.

'warn'

Net::LDAP will warn whenever an error is detected.

undef

Net::LDAP will warn whenever an error is detected and -w is in

effect. The method that was called will return undef.

sub { ... }

The given sub will be called in a scalar context with a single

argument, the result message. The value returned will be the return

value for the method that was called.

version => N

Set the protocol version being used (default is LDAPv3). This is

useful if you want to talk to an old server and therefore have to use

LDAPv2.

Example

  $ldap = Net::LDAP->new( 'remote.host', async => 1 );

LDAPS connections have some extra valid options, see the start_tls method for details. Note the default value for 'sslversion' for LDAPS is 'sslv2/3', and the default port for LDAPS is 636. For LDAPI connections, HOST is actually the location of a UNIX domain socket to connect to. The default location is '/var/lib/ldapi'.

voltar para o topo

---

METHODS

Each of the following methods take as arguments some number of fixed parameters followed by options, these options are passed in a named fashion, for example

  $mesg = $ldap->bind( "cn=me,o=example", password => "mypasswd");

The return value from these methods is an object derived from the the Net::LDAP::Message manpage class. The methods of this class allow you to examine the status of the request.

abandon ( ID, OPTIONS )

Abandon a previously issued request. ID may be a number or an

object which is a sub-class of the Net::LDAP::Message manpage, returned from a

previous method call.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below

callback => CALLBACK

See CALLBACKS below

Example

  $res = $ldap->search( @search_args );

  $mesg = $ldap->abandon( $res ); # This could be written as $res->abandon

add ( DN, OPTIONS )

Add a new entry to the directory. DN can be either a

the Net::LDAP::Entry manpage object or a string.

attrs => [ ATTR => VALUE, ... ]

VALUE should be a string if only a single value is wanted, or a

reference to an array of strings if multiple values are wanted.

This argument is not used if DN is a the Net::LDAP::Entry manpage object.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below

callback => CALLBACK

See CALLBACKS below

Example

  # $entry is an object of class Net::LDAP::Entry

  $mesg = $ldap->add( $entry );

  $mesg = $ldap->add( $dn,

                      attrs => [

                        name  => 'Graham Barr',

                        attr  => 'value1',

                        attr  => 'value2',

                        multi => [qw(value1 value2)]

                      ]

                    );

bind ( DN, OPTIONS )

Bind (log in) to the server. DN is the DN to bind with. An

anonymous bind may be done by calling bind without any arguments.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below

callback => CALLBACK

See CALLBACKS below

noauth | anonymous => 1

Bind without any password. The value passed with this option is ignored.

password => PASSWORD

Bind with the given password.

sasl => SASLOBJ

Bind using a SASL mechanism. The argument given should be a sub-class

of the Authen::SASL manpage.

Example

  $mesg = $ldap->bind; # Anonymous bind

  $mesg = $ldap->bind( $dn, password => $password );

  # $sasl is an object of class Authen::SASL

  $mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 );

compare ( DN, OPTIONS )

Compare values in an attribute in the entry given by DN on the

server. DN may be a string or a the Net::LDAP::Entry manpage object.

attr => ATTR

The name of the attribute to compare.

value => VALUE

The value to compare with.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below.

callback => CALLBACK

See CALLBACKS below.

Example

  $mesg = $ldap->compare( $dn,

                          attr  => 'cn',

                          value => 'Graham Barr'

                        );

delete ( DN, OPTIONS )

Delete the entry given by DN from the server. DN may be a string

or a the Net::LDAP::Entry manpage object.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below.

callback => CALLBACK

See CALLBACKS below.

Example

 $mesg = $ldap->delete( $dn );

moddn ( DN, OPTIONS )

Rename the entry given by DN on the server. DN may be a string

or a the Net::LDAP::Entry manpage object.

newrdn => RDN

This value should be a new RDN to assign to DN.

deleteoldrdn => 1

This option should be passwd if the existing RDN is to be deleted.

newsuperior => NEWDN

If given this value should be the DN of the new superior for DN.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below.

callback => CALLBACK

See CALLBACKS below.

Example

 $mesg = $ldap->moddn( $dn, newrdn => 'cn=Graham Barr' );

modify ( DN, OPTIONS )

Modify the contents of the entry given by DN on the server. DN

may be a string or a the Net::LDAP::Entry manpage object.

add => { ATTR => VALUE, ... }

Add more attributes or values to the entry. VALUE should be a

string if only a single value is wanted in the attribute, or a

reference to an array of strings if multiple values are wanted.

delete => [ ATTR, ... ]

Delete complete attributes from the entry.

delete => { ATTR => VALUE, ... }

Delete individual values from an attribute. VALUE should be a

string if only a single value is being deleted from the attribute, or

a reference to an array of strings if multiple values are being

deleted.

replace => { ATTR => VALUE, ... }

Replace any existing values in each given attribute with

VALUE. VALUE should be a string if only a single value is wanted

in the attribute, or a reference to an array of strings if multiple

values are wanted. A reference to an empty array will remove the

entire attribute.

changes => [ OP => [ ATTR => VALUE ], ... ]

This is an alternative to add, delete and replace where the

whole operation can be given in a single argument. OP should be

add, delete or replace. VALUE should be either a string or a

reference to an array of strings, as before.

Use this form if you want to control the order in which the operations

will be performed.

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below.

callback => CALLBACK

See CALLBACKS below.

Example

 $mesg = $ldap->modify( $dn, add => { sn => 'Barr' } );

 $mesg = $ldap->modify( $dn, delete => [qw(faxNumber)] );

 $mesg = $ldap->modify( $dn, delete => { 'telephoneNumber' => '911' } );

 $mesg = $ldap->modify( $dn, replace => { 'mail' => 'gbarr@pobox.com' } );

 $mesg = $ldap->modify( $dn,

                        changes => [

                            # add sn=Barr

                          add     => [ sn => 'Barr' ],

                            # delete all fax numbers

                          delete  => [ faxNumber => []],

                            # delete phone number 911

                          delete  => [ telephoneNumber => ['911']],

                            # change email address

                          replace => [ mail => 'gbarr@pobox.com']

                        ]

                      );

search ( OPTIONS )

Search the directory using a given filter. This can be used to read

attributes from a single entry, from entries immediately below a

particular entry, or a whole subtree of entries.

The result is an object of class the Net::LDAP::Search manpage.

base => DN

The DN that is the base object entry relative to which the search is

to be performed.

scope => 'base' | 'one' | 'sub'

By default the search is performed on the whole tree below

the specified base object. This maybe changed by specifying a scope

parameter with one of the following values:

base

Search only the base object.

one

Search the entries immediately below the base object.

sub

Search the whole tree below (and including) the base object. This is

the default.

deref => 'never' | 'search' | 'find' | 'always'

By default aliases are dereferenced to locate the base object for the

search, but not when searching subordinates of the base object. This

may be changed by specifying a deref parameter with one of the

following values:

never

Do not dereference aliases in searching or in locating the base object

of the search.

search

Dereference aliases in subordinates of the base object in searching,

but not in locating the base object of the search.

find

Dereference aliases in locating the base object of the search, but not

when searching subordinates of the base object. This is the default.

always

Dereference aliases both in searching and in locating the base object

of the search.

sizelimit => N

A sizelimit that restricts the maximum number of entries to be returned

as a result of the search. A value of 0, and the default, means that

no restriction is requested. Servers may enforce a maximum number of

entries to return.

timelimit => N

A timelimit that restricts the maximum time (in seconds) allowed for a

search. A value of 0 (the default), means that no timelimit will be

requested.

typesonly => 1

Only attribute types (no values) should be returned. Normally

attribute types and values are returned.

filter => FILTER

A filter that defines the conditions an entry in the directory must meet

in order for it to be returned by the search. This may be a string or a

the Net::LDAP::Filter manpage object. Values inside filters may need to be escaped

to avoid security problems; see the Net::LDAP::Filter manpage for a definition of

the filter format, including the escaping rules.

attrs => [ ATTR, ... ]

A list of attributes to be returned for each entry that matches the

search filter.

If not specified, then the server will return the attributes that are

specified as accessible by default given your bind credentials.

Certain additional attributes such as ``createTimestamp'' and other

operational attributes may also be available for the asking:

  $mesg = $ldap->search( ... ,

                         attrs => ['createTimestamp']

                       );

To retrieve the default attributes and additional ones, use '*'.

  $mesg = $ldap->search( ... ,

                         attrs => ['*', 'createTimestamp']

                       );

To retrieve no attributes (the server only returns the DNs of matching

entries), use '1.1':

  $mesg = $ldap->search( ... ,

                         attrs => ['1.1']

                       );

control => CONTROL

control => [ CONTROL, ... ]

See CONTROLS below.

callback => CALLBACK

See CALLBACKS below.

Example

 $mesg = $ldap->search(

                        base   => $base_dn,

                        scope  => 'sub',

                        filter => '(|(objectclass=rfc822mailgroup)(sn=jones))'

                      );

 Net::LDAP::LDIF->new( \*STDOUT,"w" )->write( $mesg->entries );

start_tls ( OPTIONS )

Calling this method will convert the existing connection to using

Transport Layer Security (TLS), which provides an encrypted

connection. This is only possible if the connection uses LDAPv3,

and requires that the server advertizes support for

LDAP_EXTENSION_START_TLS. Use

supported_extension in the Net::LDAP::RootDSE manpage to check this.

verify => 'none' | 'optional' | 'require'

How to verify the server's certificate:

none

The server may provide a certificate but it will not be checked - this

may mean you are be connected to the wrong server

optional

Verify only when the server offers a certificate

require

The server must provide a certificate, and it must be valid.

If you set verify to optional or require, you must also set either cafile or capath. The most secure option is require.

sslversion => 'sslv2' | 'sslv3' | 'sslv2/3' | 'tlsv1'

This defines the version of the SSL/TLS protocol to use. Defaults to

'tlsv1'.

ciphers => CIPHERS

Specify which subset of cipher suites are permissible for this

connection, using the standard OpenSSL? string format. The default

value is 'ALL', which permits all ciphers, even those that don't

encrypt.

clientcert => '/path/to/cert.pem'

clientkey => '/path/to/key.pem'

keydecrypt => sub { ... }

If you want to use the client to offer a certificate to the server for

SSL authentication (which is not the same as for the LDAP Bind

operation) then set clientcert to the user's certificate file, and

clientkey to the user's private key file. These files must be in PEM

format.

If the private key is encrypted (highly recommended) then keydecrypt

should be a subroutine that returns the decrypting key. For example:

 $ldap = Net::LDAP->new( 'myhost.example.com', version => 3 );

 $mesg = $ldap->start_tls(

                           verify => 'require',

                           clientcert => 'mycert.pem',

                           clientkey => 'mykey.pem',

                           keydecrypt => sub { 'secret'; },

                           capath => '/usr/local/cacerts/'

                         );

capath => '/path/to/servercerts/'

cafile => '/path/to/servercert.pem'

When verifying the server's certificate, either set capath to the

pathname of the directory containing CA certificates, or set cafile to

the filename containing the certificate of the CA who signed the

server's certificate. These certificates must all be in PEM format.

The directory in 'capath' must contain certificates named using the

hash value of the certificates' subject names. To generate these

names, use OpenSSL? like this in Unix:

    ln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0

(assuming that the certificate of the CA is in cacert.pem.)

unbind ( )

The unbind method does not take any parameters and will unbind you

from the server. Some servers may allow you to re-bind or perform

other operations after unbinding. If you wish to switch to another set

of credentials while continuing to use the same connection, re-binding

with another DN and password, without unbind-ing, will generally work.

Example

 $mesg = $ldap->unbind;

The following methods are for convenience, and do not return Net::LDAP::Message objects.

async ( VALUE )

If VALUE is given the async mode will be set. The previous value

will be returned. The value is true if LDAP operations are being

performed asynchronously.

certificate ( )

Returns an X509_Certificate object containing the server's

certificate. See the IO::Socket::SSL documentation for information

about this class.

For example, to get the subject name (in a peculiar OpenSSL? -specific

format, different from RFC 1779 and RFC 2253) from the server's

certificate, do this:

    print "Subject DN: " . $ldaps->certificate->subject_name . "\n";

cipher ( )

Returns the cipher mode being used by the connection, in the string

format used by OpenSSL? .

debug ( VALUE )

If VALUE is given the debug bit-value will be set. The previous

value will be returned. Debug output will be sent to STDERR. The

bits of this value are:

 1   Show outgoing packets (using asn_hexdump).

 2   Show incoming packets (using asn_hexdump).

 4   Show outgoing packets (using asn_dump).

 8   Show incoming packets (using asn_dump).

The default value is 0.

disconnect ( )

Disconnect from the server

root_dse ( OPTIONS )

The root_dse method retrieves cached information from the server's

rootDSE.

attrs => [ ATTR, ... ]

A reference to a list of attributes to be returned.

If not specified, then the following attributes will be requested

  subschemaSubentry

  namingContexts

  altServer

  supportedExtension

  supportedFeatures

  supportedControl

  supportedSASLMechanisms

  supportedLDAPVersion

The result is an object of class the Net::LDAP::RootDSE manpage. Example

 my $root = $ldap->root_dse;

 # get naming Context

 $root->get_value( 'namingContext', asref => 1 );

 # get supported LDAP versions

 $root->supported_version;

As the root DSE may change in certain circumstances - for instance when you change the connection using start_tls - you should always use the root_dse method to return the most up-to-date copy of the root DSE.

schema ( OPTIONS )

Read schema information from the server.

The result is an object of class the Net::LDAP::Schema manpage.

Read this documentation for further information about methods that

can be performed with this object.

dn => DN

If a DN is supplied, it will become the base object entry from

which the search for schema information will be conducted. If

no DN is supplied the base object entry will be determined from

the rootDSE entry.

Example

 my $schema = $ldap->schema;

 # get objectClasses

 @ocs = $schema->all_objectclasses;

 # Get the attributes

 @atts = $schema->all_attributes;

socket ( )

Returns the underlying IO::Socket object being used.

sync ( MESG )

Wait for a given MESG request to be completed by the server. If no

MESG is given, then wait for all outstanding requests to be completed.

Returns an error code defined in the Net::LDAP::Constant manpage.

version ( )

Returns the version of the LDAP protocol that is being used.

voltar para o topo

---

CONTROLS

Many of the methods described above accept a control option. This allows the user to pass controls to the server as described in LDAPv3. A control is a reference to a HASH and should contain the three elements below. If any of the controls are blessed then the method to_asn will be called which should return a reference to a HASH containing the three elements described below.

type => OID

This element must be present and is the name of the type of control

being requested.

critical => FLAG

critical is optional and should be a boolean value, if it is not specified

then it is assumed to be false.

value => VALUE

If the control being requested requires a value then this element should

hold the value for the server.

voltar para o topo

---

CALLBACKS

Most of the above commands accept a callback option. This option should be a reference to a subroutine. This subroutine will be called for each packet received from the server as a response to the request sent. When the subroutine is called the first argument will be the the Net::LDAP::Message manpage object which was returned from the method. If the request is a search then multiple packets can be received from the server. Each entry is received as a separate packet. For each of these the subroutine will be called with a the Net::LDAP::Entry manpage object as the second argument. During a search the server may also send a list of references. When such a list is received then the subroutine will be called with a the Net::LDAP::Reference manpage object as the second argument.

voltar para o topo

---

LDAP ERROR CODES

Net::LDAP also exports constants for the error codes that can be received from the server, see the Net::LDAP::Constant manpage.

voltar para o topo

---

SEE ALSO

the Net::LDAP::Constant manpage, the Net::LDAP::Control manpage, the Net::LDAP::Entry manpage, the Net::LDAP::Filter manpage, the Net::LDAP::Message manpage, the Net::LDAP::Reference manpage, the Net::LDAP::Search manpage, the Net::LDAP::RFC manpage The homepage for the perl-ldap modules can be found at http://perl-ldap.sourceforge.net/

voltar para o topo

---

ACKNOWLEDGEMENTS

This document is based on a document originally written by Russell Fulton <r.fulton@auckland.ac.nz>. Chris Ridd <chris.ridd@isode.com> for the many hours spent testing and contribution of the ldap* command line utilities.

voltar para o topo

---

MAILING LIST

A discussion mailing list is hosted by sourceforge at <perl-ldap@perl.org> No subscription is necessary!

voltar para o topo

---

BUGS

We hope you do not find any, but if you do please report them to the mailing list. If you have a patch, please send it as an attachment to the mailing list.

voltar para o topo

---

AUTHOR

Graham Barr <gbarr@pobox.com>

voltar para o topo

---

COPYRIGHT

Copyright (c) 1997-2004 Graham Barr. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

voltar para o topo