LDAP and PHP | The ABCs of LDAP: How to Install, Run, and Administer LDAP Services

< Day Day Up >

PHP is a multipurpose scripting language that is well suited for use in Web development because it can be easily embedded in HTML documents. PHP stands for PHP hypertext preprocessor (originally, PHP was an abbreviation for personal home page). The language was originally written for use in hypertext documents, and that remained its main purpose until version 4.2.0. Since the introduction of version 4.2.0, PHP has included a new API, in PHP parlance called SAPI (server application programming interface), i.e., a command-line interface. This interface made it possible to execute PHP scripts from the command line and extend the use of PHP to other, nonhypertext-oriented applications too. The LDAP software development kit is easily available, and it is free. In the PHP v4.2.0 release, this feature is still experimental. The upcoming version (at the time of this writing) is available at http://snaps.php.net for both UNIX and Win32 platforms.

The big advantage of PHP is that it is very easy to use; one can begin writing scripts after half an hour of study to learn the language, which is well documented. PHP has a syntax that draws from C, Java, and Perl. Later, if you need more-sophisticated features, you will discover a vast choice of libraries, for example SQL, Mail, HTTP, PDF, TCP/IP, and of course LDAP. Furthermore, PHP has object-oriented features, so the programmer has the option of working at the cutting edge of technology. Finally, PHP is available on a vide variety of platforms, including UNIX, Win32, MacOS, NetWare, and even OS/2.

This chapter is not a PHP tutorial. If you need more information about this language, please refer to the online documentation available at the official PHP Web site, http://www.php.net. As stated in the introduction to this chapter, we dedicate much more space to this language because of its simplicity, which enables the programmer to concentrate on the LDAP part of the work.

We have just a few more words before getting down to the business of reviewing the LDAP library of PHP. As mentioned before, you can use PHP from the command line or embedded in HTML pages. The only difference is that PHP code embedded in HTML has to use HTML elements for formatting purposes of the output. For example, in the command-line mode you will use "\n" for the new-line character, but in HTML you will use <BR>. In both cases, however, you have to tell the PHP parser that it has to interpret the code as PHP. The code shown in Exhibit 13 does the job. Everything outside the brackets will just to be echoed. Other than that, you can proceed as with other scripting languages. For the Win32 platform, you have to declare that files with "php" extensions are LDAP code. In the UNIX world, you can precede the PHP code with a call to the PHP interpreter. For example, if your interpreter resides at "/usr/local/bin/php," the PHP frame will look like the code shown in Exhibit 14.

 <?php // php code . . . ?>

Exhibit 13: Example of php Script

 #! /usr/local/bin/php <?php       // php code . . . ?>

Exhibit 14: Call of LDAP Interpreter Inside a php Script on UNIX

First Steps with PHP-LDAP

As with all the LDAP libraries, we have to use the well-known paradigm of

Connecting to the server that LDAP is running on
Binding to the LDAP server
Executing the requested operations
Unbinding from the LDAP server

Let us now look at some examples showing the use of PHP. The first example in Exhibit 15 shows a connection for an anonymous user who executes a query. (We assume that the anonymous user has the right to do so in our example installation.) The relevant commands are:

ldap_connect: Establishes the connection
ldap_bind: Binds to the LDAP server after the work is done
ldap_unbind: Unbinds the LDAP server and close the connection

 <?php // Example1: Connect to the LDAP server, bind, execute a query and unbind $LDAP_Server    = "ldap.ldap_abc.de" ; $BaseDN         = "o=ldap_abc.de" ; $Filter         = "(sn=c*)"; printf("Connecting . . . \n"); $ConnectionID = ldap_connect($LDAP_Server) ; if ($ConnectionID) {   printf("Connected to %s\n",$LDAP_Server);   printf("Binding as anonymous \n");   $BindRes = @ldap_bind($ConnectionID) ;   if ($BindRes) {     printf("Bound to LDAP server \n");     $Result = @ldap_search($ConnectionID, $BaseDN, $Filter);     if (! $Result) {       printf("LDAP Error (%d)\n Description: %s\n",         ldap_errno($ConnectionID),         ldap_error($ConnectionID));     } else {       $entries = ldap_get_entries($ConnectionID,$Result);       for ($i=0 ; $i < $entries["count"] ; $i++) {         printf("DN: %s\n",$entries[$i]["dn"]);       }     }   } else {     printf("Could not bind to LDAP Server \n");   } }else {   printf("Unable to connect to %s\n",$LDAP_Server); } ldap_unbind($ConnectionID); ?>

Exhibit 15: Simple Example of Connect, Bind, Search, and Unbind

The commands will be explained in more detail in the next few paragraphs. This chapter is structured much like Chapter 3, where you find the functional model of LDAP.

Authentication and Control Operations

ldap_connect

Before binding to the LDAP server, you need to establish a connection. You do this using the ldap_connect command:

 resource ldap_connect(string hostname, [int port])

The parameters are the hostname you wish to connect to and an optional port number. If you do not specify the port number, the standard port 389 is assumed. If the connection request has been successful, a resource identifier is returned; otherwise you get FALSE.

ldap_bind

Before you can ask the LDAP server to execute commands on your behalf, you to have to authenticate yourself against the LDAP server. The ldap_bind command does this. Here is the syntax:

 bool ldap_bind (resource link_identifier [, string bind_dn [, string bind_password]])

The first parameter is the resource identifier you got from your connection to the server. By the way, you could also open two connections and handle them independently from each other. The optional parameters are the distinguished name and the password. If you do not specify DN and password, an anonymous connection is assumed. Otherwise, you have the access rights defined for the DN you logged in with. Exhibit 16 is a code fragment illustrating a bind with userID and password.

 $DistinctName = "uid=JamesParker,ou=Marketing,o=ldap_abc.de" ; $Password = "secretPassword" ; $BindResult = ldap_bind($ResourceID, $DistinctName, $Password) ; if (!$BindResult) {   printf("Could not bind to LDAP Server \n%d: %s\n",     ldap_errno($ConnectionID),     ldap_error($ConnectionID)); }

Exhibit 16: Bind with Distinct Name and Password

ldap_unbind

The ldap_unbind operation releases the user-specific data structures and closes the connection. It takes only one parameter, the resource identifier of the connection. Here is the syntax:

 bool ldap_unbind (resource link_identifier)

It returns TRUE for success, FALSE for failure.

ldap_close

The ldap_close function is a simple synonym for ldap_unbind. The syntax is the same. There is no abandon function available yet.

 bool ldap_close (resource link_identifier)

More about Authentication in a Web Environment

In many cases, you will want to control access to your Web pages or Web applications. The authentication mechanism frequently should also provide more information about the authenticated user. For example, the PHP script may need the common name and surname of the user so that it can be printed on the welcome page of the application. Exhibit 17 is a sample script for authentication. This example contains two interesting concepts not directly related to LDAP: session maintenance and transport of session data. These are achieved, respectively, with the session_start/session_end and session_register functions. Again, refer to the PHP online manual for the exact syntax. What we are interested in here is the authentication procedure. From the initial authentication form (a simple HTML form), the script gets the credentials using for the UsrId $HTTP_POST_VARS['login'] and for the password $HTTP_POST_VARS['password']. These variables are provided by the Web server contained in $HTTP_POST_VARS['variable'] where variable is the name of the field in the HTML form. The variables "login" and "password" are the names of the fields in the HTML form and will probably be different for your application.

 <?php session_start();   // Configuration:   $LDAP_Server = "LdapAbc.org" ;   $LDAP_BaseDN = " ou=IT, o=LdapAbc.org" ;   $Error_HTML = "/Error.html" ;   $TimeOut_HTML = "/TimeOut.html" ;   // Grabbing Parameters from Script Environment:   $CallingScript = $HTTP_SERVER_VARS['PHP_SELF'];   $login = $HTTP_POST_VARS['login'] ;   $password = $HTTP_POST_VARS['password'] ;   Location=sprintf("http://%s/%s",     $HTTP_SERVER_VARS['HTTP_HOST'],     dirname($HTTP_SERVER_VARS['PHP_SELF']));   // Register the session:   session_register('CallingScript');   $check = !empty($login);   if (is_array($authdata)) {     $now = time();     if ($now - $start 1000) {       $Location = $Location.$TimeOut_HTML ;       Exception($Location);   // The session should be destroyed,   // and will be destroyed by the error mask     }     $start = time();   } elseif ($check) {     $ds=ldap_connect($LDAP_Server);     $r=ldap_bind($ds);     $udn="u,".$LDAP_BaseDN ; $res=@ldap_bind($ds,$udn,$            password);     if ($res && (chop($login) != "") && (chop($password) !="")){       session_register('authdata');       session_register("start");       $authdata=array("login"=$login);       $start = time();       // Everything's ok, so we don't do nothing at all.     } else {       unset($authdata);       $Location = $Location.$Error_HTML ;       Exception($Location);     }   } else {     unset($authdata);     $Location = $Location.$Error_HTML ;     Exception($Location) ;   }   function Exception($Location) {     echo "" ;     echo "window.location.replace(\"$Location\") ; " ;     echo "" ;   } ?>

Exhibit 17: Example of Authentication

After the bind, your application has to establish the user's level of control if the variables for the distinguished name and the password contain any values. If they do not, the application refuses to deliver the pages. You have to handle this case explicitly; otherwise, the LDAP server would assume an anonymous connection and would not report any error.

Another observation about the bind command is mainly a cosmetic consideration. Look at the line with the bind command, which is prefixed by the "at" sign ("@"). Standard output for the bind command would normally print out an ugly error message. The @ sign suppresses this message and allows you to handle eventual error messages.

You can use the following functions to handle errors:

int ldap_errno (resource link_identifier): Returns the error number of the last command. Parameter is the resource identifier of the LDAP connection.
string ldap_error (resource link_identifier): Returns the error text of the last executed command. Parameter is the resource identifier of the LDAP connection.
string ldap_err2str (int errno): Converts from the error number to an error string. The parameter is the error number you got from the ldap_errno command.

One last observation regarding the ldap_unbind-ldap_bind combination. You might wish to unbind from one userID and bind with another one without shutting down the connection to the server. The new bind effectively unbinds from the old userID and releases all user-related data before binding with the new userID. You might wonder why this would be useful. Exhibit 18 shows an entry for a person with a computer-calculated userID. We wish to let the user log on using his name, surname, and password, thus shielding the user from the complex details of the transaction. Your application would first allow an anonymous connection to get the userID, construct the distinguished name, and then bind with the DN and the password. Exhibit 19 shows the code fragment that accomplishes this task.

 DN: uid=uv467_rz28, ou=Marketing, o=abc_ldap.de objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Tim Parker givenName: Tim sn: Parker uid=uv467_rz28 mail: Tim.Parker@abc_ldap.de userPassword: 4d2tUdzXVlVNz

Exhibit 18: Entry for a Person

 $Name      = $HTTP_POST_VARS['Name']; $SurName   = $HTTP_POST_VARS['SurName'] ; $Password  = $HTTP_POST_VARS['Password'] ; $Filter    = sprintf(" (& (sn=%s) (givenName=%s))" , $Name,                $SurName) ; $Filter    = " (& (sn = $Name) (givenName = $SurName)) " ; $ConnectionID = ldap_connect($LDAP_Server) ; $BindRes      = @ldap_bind($ConnectionID) ; $WantedAttributes  = array("uid"); $ ConnectionID     = @ldap_search($ConnectionID, $BaseDN, $Filter,                          $WantedAttributes); $entries           = ldap_get_entries($ConnectionID, $ConnectionID); $DistinctName  = sprintf("uid=%s, ou=Marketing, o=abc_ldap.de",                     $entries[0]["uid"][0]); $BindRes       = @ldap_bind($ConnectionID, $DistinctName, $Password) ;

Exhibit 19: Code Example for Two Binds

Search and Associated Commands

ldap_search

We saw a few examples of the search operation earlier in this chapter, and we used a few parameters to return only certain attributes. Now we will take a closer look at the parameters for the ldap_search function.

 resource ldap_search (resource link_identifier, string base_dn, string filter [, array attributes [, int attrsonly [, int sizelimit [, int timelimit [, int deref]]]]])

The ldap_search command has three required parameters and five optional parameters. The three required parameters are:

resource link_identifier: Identifier of the LDAP connection
string base_dn: Base DN where the query should start
string filter: Query filter

The five optional parameters are:

array attributes: An array of attribute names you wish the query to return. The array limits the results set of the query, thus keeping the network traffic low.
attrsonly: If the switch "attrsonly" is set to "1," only the attribute names are reported, not the values. The default is "0," which returns attribute names and values.
sizelimit: Specifies the number of entries returned by the query. If set to "0" (default), there is no limit. Note, however, that the LDAP administrator can impose a value in the server configuration that limits the number of entries returned. This value cannot be overwritten.
timelimit: Specifies the number of seconds the search is allowed to run. Once this time limit is reached, the query stops. Again, this value cannot exceed a serverwide setting configured by the administrator.
deref: Specifies how aliases should be handled during the search. The following four values are possible:
- LDAP_DEREF_NEVER (default): Aliases are never dereferenced.
- LDAP_DEREF_SEARCHING: Aliases should be dereferenced during the search but not when locating the base object of the search.
- LDAP_DEREF_FINDING: Aliases should be dereferenced when locating the base object but not during the search.
- LDAP_DEREF_ALWAYS: Aliases should be dereferenced always.

If you have read about the functional model in Chapter 3, you might wonder why the parameter indicating the scope of the search is missing. Actually, it is not missing. Note that ldap_search executes a search with the scope set to LDAP_SCOPE_SUBTREE, which means that it searches the entire subtree specified by the base DN. To limit the search further, you have to use the ldap_read function or the ldap_list function.

ldap_read

The ldap_read function takes the same parameters as the ldap_search command. It works much the same, except that it sets the scope to LDAP_SCOPE_BASE.

 resource ldap_read (resource link_identifier, string base_dn, string filter [, array attributes [, int attrsonly [, int sizelimit [, int timelimit [, int deref]]]]])

ldap_list

The ldap_list function takes the same parameters as the ldap_search command. It works the same with the scope set to LDAP_SCOPE_ONELEVEL.

 resource ldap_list (resource link_identifier, string base_dn, string filter [, array attributes [, int attrsonly [, int sizelimit [ , int timelimit [, int deref]]]]])

ldap_compare

The ldap_compare function queries the LDAP database to see whether an entry has a certain attribute with the desired attribute value. It turns TRUE if it does and FALSE if it does not.

 bool ldap_compare (resource link_identifier, string dn, string attribute, string value)

There are four parameters:

resource link_identifier: Identifier of the LDAP connection
string dn: Distinguished name of the entry you want to check
string attribute: Attribute in the entry that you want to check
string value: Attribute value that you want to check

Exhibit 20 shows us an object "Tim Parker" (recycled from Exhibit 18). Assume that we want to know whether the attribute "mail" for "Tim Parker" has the value <Tim.Parker@abc_ldap.de>. Exhibit 21 shows the code snippet that carries out the required action.

 DN: uid=uv467_rz28, ou=Marketing, o=abc_ldap.de objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson cn: Tim Parker givenName: Tim sn: Parker uid=uv467_rz28 mail: Tim.Parker@abc_ldap.de userPassword: 4d2tUdzXVlVNz

Exhibit 20: Entry of objectclass inetOrgPerson to be Changed

 $DN        = "uid=uv467_rz28, ou=Marketing, o=abc_ldap.de" ; $attrNam   = "mail" ; $attrVal   = "Tim.Parker@abc_ldap.de" $result = ldap_compare ($DN, $attrNam, $attrVal) ; if ($result) {   echo " In $DN the attribute $attrNam has the value: $attrVal " ; }

Exhibit 21: Little Example with ldap_compare

Working with the Result Identifiers

The search and the read functions deliver result identifiers, but we need additional data to make use of these results. What we need are the single entries and, more importantly, the single attributes with the corresponding values. There are powerful functions to accomplish these ends. PHP recognizes operators that work like iterators. In this section, we will look at operations on entries as well as operations on the single attributes.

There are two ways of working on entries and attributes. The first way is to retrieve the whole results array; the second is to treat one entry or attribute a time. The ldap_get_entries and ldap_get_attributes functions are very similar, both returning a multidimensional array of results values. Both functions return arrays. The arrays use the conventions defined in PHP, i.e., $Array["count"] is the number of entries in the array; $Array[0] is the first element; and elements in associative arrays can be identified both by their slot number and their key.

ldap_get_entries

The syntax of the ldap_get_entries function is:

 array ldap_get_entries (resource link_identifier, resource result_identifier)

The two parameters for the function are:

resource link_identifier: Identifier of the LDAP connection
resource result_identifier: Resource identifier returned by the search

The results array is as follows:

$ResArray=ldap_get_entries (resource link_identifier, resource result_identifier);
$ResArray ["count"]:	number of entries in the result
$ResArray [0]:	refers to the details of first entry
$ResArray [i]["dn"]:	DN of the ith entry in the result
$ResArray [i]["count"]:	number of attributes in ith entry
$ResArray [i][j]:	jth attribute in the ith entry in the result
$ResArray [i]["attribute"]["count"]:	number of values for attribute in ith entry
$ResArray [i]["attribute"][j]:	jth value of attribute in ith entry

ldap_count_entries

The ldap_count_entries function counts the number of entries in the results set, much the same as the "count" field in the associative array you get from the search function.

 int ldap_count_entries (resource link_identifier, resource result_identifier)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_identifier: Resource identifier returned by the search

ldap_sort

The ldap_sort function sorts the array returned by the search function. "Sortfilter" indicates the attribute used for the sort function. Internally, a "strcmp" function is used, i.e., the attribute values are sorted in alphabetically ascending order. Note, however, that it is not the LDAP server that executes the sorting. It is your application that sorts the array in memory.

 int ldap_count_entries (resource link, resource result, string sortfilter)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_identifier: Results returned by the search
string sortfilter: Attribute to be sorted; problems arise with multi-value attributes

ldap_parse_result

The ldap_parse_result function is rather like a debugging utility or, more precisely, a utility used if something goes wrong with the query. It takes the resource link identifier and the result resource and provides additional information about the results set.

 bool ldap_parse_result (resource link, resource result, int errcode, string matcheddn, string errmsg, array referrals)

The six parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_identifier: Results returned by the search
int errcode: Error code produced by the search
string matcheddn: DN closest to the requested entry, in case the requested entry does not exist; this feature is available only in LDAP (v3)
string errmsg: Additional error message returned by the server
array referrals: Array of referrals returned by the server

ldap_get_attributes

The ldap_get_attributes function has the following syntax:

 array ldap_get_attributes (resource link_identifier, resource result_entry_identifier)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_identifier: Resource identifier returned by the search

The result array is as follows:

$ResArray = ldap_get_attributes (resource link_identifier, resource result_identifier);
return value["count"]:	number of attributes in the entry
return_value[0]:	first attribute
return_value[n]:	nth attribute
return value["attribute"]["count"]:	number of values for attribute
return_value["attribute"][0]:	first value of the attribute
return_value["attribute"][i]:	(i+1)th value of the attribute

Exhibit 22 shows an example using ldap_get_entries. Another possibility would be to iterate through the single entries or attributes. We will first look at the syntaxes for the relevant functions — ldap_first_entry, ldap_next_entry, ldap_first_attribute, ldap_next_attribute, ldap_get_dn, ldap_get_values, and ldap_get_values_len — and then see an example using all of these functions.

 $ResEntries = ldap_get_entries($ConnectionID,$ResultRes);    for ($i=0 ; $i < $ResEntries["count"] ; $i++) {      printf("DN: %s\n",$ResEntries[$i]["dn"]);     for ($j=0 ; $j < $ResEntries[$i]["cn"]["count"] ; $j++) {        printf("CN: %s\n",$ResEntries[$i]["cn"][$j]);     }    } ?>

Exhibit 22: Use of Result Set After Query

ldap_first_entry

The ldap_first_entry command gets the first entry returned from a query. Remember, the query also returns a result identifier.

 resource ldap_first_entry (resource link_identifier, resource result_identifier)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result identifier: Resource identifier returned by the search

ldap_next_entry

The ldap_next_entry command get the next entry identifier from the previous one.

 resource ldap_next_entry (resource link_identifier, resource result_entry_identifier)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_entry_identifier: Resource-entry identifier returned by the search, similar to "resource result_identifier" returned by the ldap_first_entry function

ldap_first_attribute

The ldap_first_attribute command gets the first attribute in a result entry.

 string ldap_first_attribute (resource link_identifier, resource result_entry_identifier, int ber_identifier)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_entry_identifier: Resource-entry identifier returned by the search
int ber_identifier: Integer variable that PHP uses internally for subsequent ldap_next_attribute calls. You need only to provide this variable. You do not have to set it, as PHP does the rest for you.

ldap_next_attribute

The ldap_next_attribute command gets the next attribute in a result entry.

 string ldap_next_attribute (resource link_identifier, resource result_entry_identifier, int ber_identifier)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_entry_identifier: Resource-entry identifier returned by the search
int ber_identifier: Integer variable that was set by PHP in the previous call (or first_attribute or next_attribute)

ldap_get_dn

The ldap_get_dn command returns the distinguished name of the entry.

 string ldap_get_dn (resource link_identifier, resource result_entry_identifier)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_entry_identifier: Resource-entry identifier returned by the search

ldap_get_values, ldap_get_values_len

These two commands get the value/values of an attribute.

 array ldap_get_values (resource link_identifier, resource result_entry_identifier, string attribute) array ldap_get_values_len (resource link_identifier, resource result_entry_identifier, string attribute)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
resource result_entry_identifier: Resource-entry identifier returned by the search
string attribute: Attribute value in the entry that you want to check

The function call returns a simple array containing the required value or values, if there are any. The difference between these two functions is that ldap_get_values returns ASCII values, and ldap_get_values_len returns binary values.

Conclusion: An Example

Exhibit 23 illustrates the use of these functions. Note that it presumes that you have already done a search and thus have a resource-result identifier called "$ResultRes." The variable $ConnectionID is the usual resource link identifier you get from the ldap_connect function.

 $Entry = ldap_first_entry($ConnectionID,$ResultRes);   printf("DN: %s\n",ldap_get_dn($ConnectionID,$Entry));   while($Entry = ldap_next_entry($ConnectionID,$Entry)) {     printf("DN: %s\n",ldap_get_dn($ConnectionID,$Entry));     $Attribute = ldap_first_attribute($ConnectionID,                     $Entry,$Ber);     printf("attribute: %s\n",$Attribute);     while ($Attribute = ldap_next_attribute($ConnectionID,          $Entry,$Ber)) {       printf("attribute: %s\n",$Attribute);       $Values = ldap_get_values($ConnectionID,                    $Entry,$Attribute);       for ($i=0 ; $i < $Values["count"] ; $i++) {         printf("\t\t%s\n",$Values[$i]);       }     }   }

Exhibit 23: Example of Iteration through the Result Set

Adding, Deleting, and Modifying Entries

You have seen how to search a directory and how to get single entries and attributes. In this section, you will learn how to update the directory. The update functions are:

Adding new entries
Deleting entries
Modifying entries

ldap_add

We will start with the add function. The syntax is as follows:

 bool ldap_add(resource link_identifier, string dn, array entry)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
string dn: Distinguished name of the entry to be added
array entry: Array containing all the entries plus their relative values. The array has the same structure as that returned by the get_entry function call.

The syntax is straightforward, as demonstrated by the example in Exhibit 24.

 $BindRes = @ldap_bind($ConnectionID,$AdminDn,$PassWord) ;   if ($BindRes) {     $data["cn"] = "Eddie Thomson" ;     $data["sn"] = "Thomson" ;     $data["givenName"] = "Eddie" ;     $data["telephoneNumber"] = "0045 78 21 384" ;     $data["employeeNumber"] = 03230 ;     $data["mail"] = "EThomson@ldap_abc.de" ;     $data["uid"] = ethomson283 ;     $data["objectclass"][0] = "top" ;     $data["objectclass"][1] = "person" ;     $data["objectclass"][2] = "organizationalPerson" ;     $data["objectclass"][3] = "inetOrgPerson" ;   $DN = "employeeNumber=03230, ou=Marketing, o=ldap_abc.de" ;     $Result = ldap_add($ConnectionID,$DN,$data);     if ($Result) {       printf("DN %s added\n",$DN);     }   } else {     printf("Couldn't bind to %s\n",$LDAP_Server);   }

Exhibit 24: Example for ldap_add Function

ldap_delete

The ldap_delete function is still easier, inasmuch as it takes only two parameters.

 bool ldap_delete (resource link_identifier, string dn)

The two parameters are:

resource link_identifier: Identifier of the LDAP connection
string dn: Distinguished name of the entry to be deleted

Exhibit 25 deletes what we created in Exhibit 24.

 $BindRes = @ldap_bind($ConnectionID,$AdminDn,$PassWord) ;   if ($BindRes) {     $DN = "employeeNumber=03230, ou=Marketing, o=ldap_abc.de" ;       $Result = ldap_delete($ConnectionID,$DN);       if ($Result) {         printf("DN %s deleted\n",$DN);       }     } else {       printf("Couldn't bind to %s\n",$LDAP_Server);     }

Exhibit 25: Example of ldap_delete Function

ldap_modify

There is more than one update function, depending on what we wish to update in the entry. We could add an attribute, delete an attribute, and replace an attribute within an entry. Consequently, PHP has three operations:

ldap_mod_add: Adds a new attribute to an entry
ldap_mod_del: Deletes an attribute from an entry
ldap_mod_replace: Replaces an attribute value

And there is still one more function, called simply "ldap_modify." Just like the other functions, ldap_modify takes an array as a parameter, replaces the old attribute values with the new values, and eventually adds new ones. The ldap_modify function does not delete attributes. Here is the syntax of the functions. Note that the parameters are the same for all four functions.

 bool ldap_mod_add(resource link_identifier, string dn, array entry) bool ldap_mod_del(resource link_identifier, string dn, array entry) bool ldap_mod_replace(resource link_identifier, string dn, array entry) bool ldap_modify(resource link_identifier, string dn, array entry)

The three parameters are:

resource link_identifier: Identifier of the LDAP connection
string dn: Distinguished name of the entry to be modified
array entry: Array containing all the entries plus their relative values. The array has the same structure as that returned by the get_entry function call.

For the sake of illustrating the update functions, let us assume we did not delete the entry for Eddie Thomson in Exhibit 25. Exhibits 26 through 28 show examples of these update operations.

After the action in Exhibit 26, the entry corresponding to Eddie Thomson now has two phone numbers. Exhibit 27 shows how to change one of them. Recall that now you have to treat the attribute as an array because it has more that one value. Look at Exhibit 28 to see how to delete the phone number again.

 if ($BindRes) {       $data["telephoneNumber"] = "0045 78 21 385" ;     $DN = "employeeNumber=03230, ou=Marketing, o=ldap_abc.de" ;       $Result = ldap_mod_add($ConnectionID,$DN,$data);       if ($Result) {          printf ("DN %s added\n",$DN);       }         ("attribute added to DN % \k", $DN);     } else {       printf("Couldn't bind to %s\n",$LDAP_Server);     } }

Exhibit 26: Example of ldap_mod_add— Add an Attribute

 if ($BindRes) {      $data["telephoneNumber"][0] = "0045 78 21 385" ;      $data["telephoneNumber"][1] = "0045 78 21 387" ;     $DN = "employeeNumber=03230, ou=Marketing, o=ldap_abc.de" ;      $Result = ldap_mod_replace($ConnectionID,$DN,$data);      if ($Result) {        printf ("DN %s added\n",$DN);      }        ("attribute modified in DN %s \k", $DN);    } else {      printf("Couldn't bind to %s\n",$LDAP_Server);    } }

Exhibit 27: Example of ldap_mod_replace— Modify an Attribute

 if ($BindRes) {      $data["telephoneNumber"] [1] = "0045 78 21 387" ;     $DN = "employeeNumber=03230, ou=Marketing, o=ldap_abc.de" ;      $Result = ldap_mod_del($ConnectionID,$DN,$data);      if ($Result) {        printf ("DN %s added\n",$DN);      }        ("attribute deleted in DN %s \k", $DN);    } else {      printf("Couldn't bind to %s\n",$LDAP_Server);    } }

Exhibit 28: Example of ldap_mod_del— Delete an Attribute

ldap_rename

The ldap_rename command changes the DN of an entry. This function works as described in the functional model in Chapter 3, i.e., the function not only permits changing the RDN, but also moving the entry inside the directory tree and specifying a new parent for the entry. You can specify whether you wish to leave the old entry or to remove it. Here is the syntax:

 bool ldap_rename (resource link_identifier, string dn, string newrdn, string newparent, bool deleteoldrdn)

The five parameters are:

resource link_identifier: Identifier of the LDAP connection
string dn: Distinguished name of the entry to be modified
string newrdn: New relative distinguished name (note that this is the RDN, not the DN)
string newparent: Eventually, the new parent entry
bool deleteoldrdn: Boolean value to indicate whether the old entry has to be deleted. Set to TRUE, it will be deleted; set to FALSE, it will be left.

What Remains?

There are still some functions that have not been covered. These are functions to work with references, such as ldap_parse_reference or ldap_first_reference, and functions that permit changing the format, such as ldap_t61_to_8859 or ldap_explode_dn. We will not review these functions here. If you want to work with LDAP and PHP, check the PHP online manual for more information about these functions.

< Day Day Up >