Tools for Developing LDAP Applications

In this section we examine some different categories of SDKs and scripting tools that can be used to develop LDAP applications. The Further Reading section near the end of this chapter includes pointers to more detailed information on all the tools we mention. Directory software vendors naturally encourage developers to write directory-enabled applications, so many of these tools can be freely downloaded from the Internet and used at no cost.

LDAP software development tools that can be used to write directory-enabled applications can be organized into four categories:

LDAP SDKs
LDAP command-line tools
LDAP tag libraries for Web development
Directory- agnostic SDKs

Practically speaking, your choice of LDAP software development tools is constrained by the programming languages you're comfortable using. The next two most important criteria for choosing a tool are its quality and its documentation. You should experiment with several packages to see which one you like best before you begin writing code.

LDAP SDKs

LDAP SDKs typically provide complete, high-performance, native access to all the features of LDAP. The application programming interfaces (APIs) they provide may conform to the C or Java LDAP API specifications being developed by the Internet Engineering Task Force (IETF). At the time of this writing, the programming languages directly supported include C, C++, Perl, Java, Python, and Ruby. Popular LDAP SDKs include the following:

Netscape LDAP C SDK (also available in source code form through mozilla.org). This SDK closely tracks the emerging IETF standard for an LDAP C API.
Netscape LDAP Java SDK (also available in source code form through mozilla.org). This SDK closely tracks the emerging IETF standard for an LDAP Java API.
Net::LDAP Perl- LDAP modules by Graham Barr and contributors. This is a native Perl implementation of LDAP; no platform-specific code is used.
PerLDAP Perl module . PerLDAP calls through to the Netscape LDAP C SDK.
Python-L DAP , which provides LDAP access from the Python language. Python-LDAP calls through to an LDAP C SDK.
Ruby/LDAP , which provides LDAP access from the Ruby language. Ruby/LDAP calls through to an LDAP C SDK.

An LDAP SDK is a good choice if the application you need to LDAP-enable is written in one of the supported languages. All popular hardware and OS platforms are supported, and in some cases (such as with the Netscape SDKs), source code is available to allow for ports to other platforms. If your programming language of choice is not directly supported, you may still be able to use one of these SDKs. Most widely used programming and scripting languages can call C, C++, or Java code. For example, Microsoft Visual Basic code can use C library functions, and JavaScript can use Java classes and methods .

LDAP Command-Line Tools

Some vendors provide a set of command-line tools that provide access to LDAP directories. These tools are useful for simple LDAP integration tasks , especially those for which performance isn't critical. LDAP command-line tools are good choices for batch-oriented applications as well.

The LDAP command-line tools can be called from a variety of languages, including compiled languages such as C++, Windows command language, any Unix shell-scripting language, and Perl. Netscape provides the following command-line tools with its directory SDKs and its Directory Server product:

ldapcompare . Executes a series of LDAP compare operations.
ldapdelete . Deletes one or more LDAP entries.
ldapmodify . Adds, deletes, modifies, or renames one or more LDAP entries. The ldapmodify tool accepts LDIF as input to describe the changes to be made to the directory.
ldapsearch . Executes a series of LDAP search operations. The output produced by the ldapsearch tool conforms to the LDIF specification.

Several other directory software vendors, such as OpenLDAP, provide similar tools.

LDAP Tag Libraries for Web Development

Templates and tag libraries have become popular in the Web development community as a way to cleanly separate the user interface from the application logic. To accomplish this separation, HTML or XML templates are used to describe the user interface in conjunction with embedded tags that trigger calls to application-specific code. The most popular Web page template frameworks are Microsoft's Active Server Pages (ASP) and Sun's JavaServer Pages (JSP).

Because of Java's popularity as a platform for writing portable Web applications, JSPs are widely used. JSP files are standard HTML files with some extra JSP tags thrown in. Several JSP tag libraries are available for accessing LDAP directories. One such library is Simya Consultancy's LDAP JSP Tag Library, which is available at http://www.simya.net/products.html. Listing 21.2 shows a simple JSP file that uses Simya's tag library to search an LDAP directory server and produce a table from the entries returned.

Listing 21.2 An LDAP JSP Example: `list-jensens.jsp`

 1. <%@ taglib uri="/ldap" prefix="ldap" %>  2. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">  3. <html><head><title>User List</title></head>  4. <body>  5. <ldap:connect url="ldap://ldap.example.com">  6. <h2>List of Jensens in example.com</h2>  7. <table bgcolor="#F0F8FF" cellspacing="0" cellpadding="2" border="1">  8. <tr bgcolor="Silver">  9. <th>RDN</th> 10. <th>User ID</th> 11. <th>User Name</th> 12. <th>Telephone</th> 13. <th>Department</th></tr> 14. <ldap:query id="ldapresult" basedn="ou=People,dc=example,dc=com" 15.    filter="(sn=jensen)" limit="100"> 16. <tr> 17. <td><%= ldapresult.getDN() %></td> 18. <td><%= ldapresult.getStringAttribute("uid") %></td> 19. <td><ldap:getAttribute name="cn"/></td> 20. <td><ldap:getAttribute name="telephonenumber"/></td> 21. <td><ldap:getAttribute name="ou" delimiter="<br>"/></td> 22. </tr> 23. </ldap:query> 24. </table> 25. </ldap:connect> 26. </body> 27. </html>

Line 1 contains a JSP tag library directive that causes the Simya LDAP tag library to be loaded. The JSP tags that begin with "<ldap:" are the Simya tags themselves that pull information out of the example.com LDAP server (for example, line 5 contains an ldap:connect tag). The tags that begin with "<%=" are JSP expressions (for example, line 17 includes an embedded expression that retrieves the distinguished name, or DN, of an entry in the list of search results). Listing 21.2 also contains many standard HTML tags, some of which are used to produce a table. Figure 21.10 shows a sample of the output produced by this JSP file, as viewed in a Web browser.

Figure 21.10. The `list-jensens.jsp` Example in Action

The Further Reading section near the end of this chapter provides pointers to additional JSP resources.

DSML Tools and SDKs

The Directory Services Markup Language (DSML) is a standard for representing directory data and operations using XML. The basic DSML version 1 specification (DSMLv1), which simply defines a way to represent directory data using XML, has existed since 1999. Some LDAP SDKs provide facilities for parsing DSMLv1, servers such as Netscape Directory Server 6 support DSMLv1 import and export, and some DSMLv1-specific tools do exist. But the real excitement centers on DSML version 2 (DSMLv2), which draws from the LDAP protocol standards to allow the complete set of LDAP directory operations to be represented with XML.

In addition, DSMLv2 defines a standard way to transport DSML over the Simple Object Access Protocol (SOAP), which is the preferred protocol for creating new Web services applications (SOAP is the foundation for Microsoft's .NET initiative, among other efforts). The combination of DSMLv2 and SOAP will open directory services to a new class of application developers, and it is widely expected that the prominent directory software vendors will add support for DSMLv2-over-SOAP to their products.

In April 2002, the DSMLv2 specification was approved by the members of the Organization for the Advancement of Structured Information Standards (OASIS). Now that DSMLv2 is a standard, expect to see a flurry of activity around DSML, including the release of a variety of new DSML tools and SDKs.

Directory-Agnostic SDKs

Your remaining choice is to use an SDK that provides access to a variety of directory and directory-like data sources (including LDAP). We use the term directory-agnostic to describe these SDKs. Examples include Microsoft's Active Directory Services Interface (ADSI) for the Windows platform and Sun's Java Naming and Directory Interface (JNDI). ADSI can be used with a variety of programming languages, including C++, Visual Basic, and VBScript. JNDI can be used only with Java.

Access to a variety of data sources is provided by a common, directory-independent API that application programmers may use. These SDKs are internally designed and constructed so that a variety of directory service modules can be plugged in beneath the API. A good example of this kind of SDK architecture is JNDI. Figure 21.11 shows the internal architecture of the JNDI implementation.

Figure 21.11. The JNDI Architecture

A directory-agnostic SDK may be a good choice if your application needs access to directory services other than LDAP. The main disadvantages of these SDKs are that in some cases they do not provide full access to LDAP's capabilities and they do not evolve as fast as the SDKs that focus purely on LDAP. Other disadvantages include increased overhead and code size as a result of the extra layers and directory service modules included. In the case of ADSI, it may be difficult to call the SDK functions from existing applications that are not based on Microsoft's Component Object Model (COM). JNDI, on the other hand, has been enhanced to support most LDAP features, including LDAPv3 controls and extended operations. JNDI is included in Sun's Java Development Kits (JDKs) and is widely used.