An Introduction to perl-ldap

A beginner's guide to using Net::LDAP
Modifying Entries - modify()

It would be unusual for entries in a directory to be static. Various attributes probably change over time, as users change phone numbers, addresses or even names. At the very least, you would hope your users change their passwords regularly. perl-ldap provides the modify() method to handle such changes.

The three main modification actions that can be performed upon an LDAP entry are:

  • add: add one on more attributes to an entry

  • delete: delete one or more attributes from an entry

  • replace: replace one or more attributes with different values.

Examples:

$dn = "uid=paul,ou=People,dc=leapster,dc=org";
# add a 'homePhone' attribute and a 'mail' attribute
$mesg = $ldap->modify($dn, add => { "homePhone" => "555 3030",
                                    "mail" => "paul\@mail.home"} );
# add two more 'homePhone' attributes
$mesg = $ldap->modify($dn, add => { "homePhone" => ["555 3031", "555 3032"] });
# delete the mobile and pager attributes
$mesg = $ldap->modify($dn, delete => [ 'mobile', 'pager' ] );
# change the mail attribute to 'paul@domain.name'
$mesg = $ldap->modify($dn, replace => { "mail" => "paul\@domain.name" } );

If you have an attribute with multiple values and wish to delete only one of those values, you can give delete a specific attribute/value hash to delete:

$mesg = $ldap->modify($dn, delete => { 'homePhone' => "555 3031" } );

If you wish to do a number of changes at once, modify also provides the changes parameter, which takes a list of add, delete and replace operations:

# Add an employeenumber and delete 
$mesg = $ldap->modify($dn, changes => [
                                       add => [ employeeNumber => "4321" ],
                                       delete => [ mail => [] ]
                                      ]);

As with most other perl-ldap methods, modify() returns a Net::LDAP::Message object. Therefore, you can use $mesg-code to check whether an error was returned.

It's also possible to modify local copies of LDAP entries directly and then push the changes through to the server afterwards. Net::LDAP::Entry has a number of methods for doing this. Each method takes a list of attribute/value hashes (delete also accepts a simple list of attribute names):

  • add: adds one or more attributes to an entry.

  • delete: deletes one or more attributes from an entry.

  • replace: replaces one or more attributes in an entry.

None of these changes are propagated to the directory server until the update() method is called.

$base = "ou=People,dc=leapster,dc=org";
$mesg = $ldap->search(  filter=>"(uid=paul)", base=>$base);
$entry = $mesg->entry(0);
$entry->add(homePhone => "555 3035", pager => "555 4040");
$entry->delete("suburb");
$entry->replace(fax => "555 5050");
$entry->update($ldap);
Summary

To summarise, perl-ldap is a convenient and straightforward library for accessing LDAP servers with Perl scripts. Thus it provides a simple method for a system administrator to perform maintenance on systems serving large numbers of users, in much the same manner as they have been doing on existing flat-file /etc/passwd systems. Last winter, I used perl-ldap in scripts to help transfer 1.2 million users from our old Netscape Messaging Server system to our new, custom-built QmailLDAP servers. perl-ldap continues to prove invaluable for day-to-day maintenance of the same system.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Awesome Work

Vineet Niranjan's picture

Awesome codes and illustrations.
Would have appreciated more if the Acronyms were clear.

How to add UserAccountControl

Anonymous's picture

How to add user ACcount Control Parameter ,it not working ?

UID

Anonymous's picture

Cannot figure what the value of UID should be? I can dump all the contents with filter set as (objectclass=*) and get around 200 entries ; But, when I try to search for a particular UId, I do not get any results back. can anyone tell me what value should be put in for UID to search? I tried with filter=>"(uid=vinda)" filter=>"(uid=vinda norman)" filter=>"(uid=norman)" but no luck.

dn: CN=vinda Norman,OU=Users,OU=SysStaff,OU=SBCS,DC=ad,DC=cs,DC=sunysb,DC=edu
objectClass: top
cn: Vinda Norman
sn: Norman
givenName: Vinda
distinguishedName: CN=Vinda Norman,OU=Users,OU=SysStaff,OU=SBCS,DC=ad,DC=cs,DC=sunysb,DC=edu
instanceType: 4
whenCreated: 20080904132500.0Z
whenChanged: 20090906023318.0Z
displayName: Vinda norman
uSNCreated: 9019
memberOf: CN=System Staff Users,CN=Users,DC=ad,DC=cs,DC=sunysb,DC=edu
uSNChanged: 778762
name: Vinda Norman
objectGUID: *nÄsM¹lN_Aö
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128975058670944212
lastLogoff: 0
lastLogon: 128975753602883244
pwdLastSet: 128965394154875698
primaryGroupID: 513
objectSid: ªl²p!Xù{®MZ
accountExpires: 9223372036854775807
logonCount: 267
sAMAccountName: vinda
sAMAccountType: 805306368
userPrincipalName: vinda@ad.cs.sunysb.edu

What happens if bind fails

Am's picture

$mesg = $ldap->bind("cn=admin,dc=leapster,dc=org", password=>"secret");

I tried this, but even with a wrong password, this line did not give an error.

you mean it still connects

Anonymous's picture

you mean it still connects to LDAP?

This tutorial has helped me

Ldap_guy's picture

This tutorial has helped me created a whole project in one week. This was exactly what i needed! Good job

use warnings; use strict;

Anonymous's picture

use warnings;
use strict;

perl-ldap vs. PerLDAP

Anonymous's picture

Not be be confused with another project, PerLDAP, which started back when Netscape was king. I had used PerLDAP for years, before perl-ldap even existed. It's now part of the Mozilla Foundation and is available here: http://www.mozilla.org/directory/perldap.html

The one downside is that it requires the Netscape Directory SDK. But it's free and available for almost any platform.

PerLDAP came after perl-ldap

Anonymous's picture

PerLDAP was originally Net::LDAPapi by Clayton Donley. Netscape announced taking over the module and renaming it PerLDAP at the second perl conference, which was held in San Jose in August 1998.

perl-ldap (Net::LDAP) and Net::LDAPapi projects were both started in 1997 about the same time.

PerLDAP can be difficult to get working though!

Anonymous's picture

I've been trying to get Bugzilla to work with PerLDAP, and while I can successfully compile the Netscape directory code, I can't get PerLDAP itself to compile - too many miconfigurations it appears, maybe some problems with versioning b/w PerLDAP & Netscape's SDK. Anyway, I gave up, and I now use Paul's patch to bugzilla which allows bugzilla to work with Net::LDAP. Cheers Paul.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState