An Introduction to perl-ldap

A beginner's guide to using Net::LDAP
Modifying Entries - modify()

It would be unusual for entries in a directory to be static. Various attributes probably change over time, as users change phone numbers, addresses or even names. At the very least, you would hope your users change their passwords regularly. perl-ldap provides the modify() method to handle such changes.

The three main modification actions that can be performed upon an LDAP entry are:

  • add: add one on more attributes to an entry

  • delete: delete one or more attributes from an entry

  • replace: replace one or more attributes with different values.

Examples:

$dn = "uid=paul,ou=People,dc=leapster,dc=org";
# add a 'homePhone' attribute and a 'mail' attribute
$mesg = $ldap->modify($dn, add => { "homePhone" => "555 3030",
                                    "mail" => "paul\@mail.home"} );
# add two more 'homePhone' attributes
$mesg = $ldap->modify($dn, add => { "homePhone" => ["555 3031", "555 3032"] });
# delete the mobile and pager attributes
$mesg = $ldap->modify($dn, delete => [ 'mobile', 'pager' ] );
# change the mail attribute to 'paul@domain.name'
$mesg = $ldap->modify($dn, replace => { "mail" => "paul\@domain.name" } );

If you have an attribute with multiple values and wish to delete only one of those values, you can give delete a specific attribute/value hash to delete:

$mesg = $ldap->modify($dn, delete => { 'homePhone' => "555 3031" } );

If you wish to do a number of changes at once, modify also provides the changes parameter, which takes a list of add, delete and replace operations:

# Add an employeenumber and delete 
$mesg = $ldap->modify($dn, changes => [
                                       add => [ employeeNumber => "4321" ],
                                       delete => [ mail => [] ]
                                      ]);

As with most other perl-ldap methods, modify() returns a Net::LDAP::Message object. Therefore, you can use $mesg-code to check whether an error was returned.

It's also possible to modify local copies of LDAP entries directly and then push the changes through to the server afterwards. Net::LDAP::Entry has a number of methods for doing this. Each method takes a list of attribute/value hashes (delete also accepts a simple list of attribute names):

  • add: adds one or more attributes to an entry.

  • delete: deletes one or more attributes from an entry.

  • replace: replaces one or more attributes in an entry.

None of these changes are propagated to the directory server until the update() method is called.

$base = "ou=People,dc=leapster,dc=org";
$mesg = $ldap->search(  filter=>"(uid=paul)", base=>$base);
$entry = $mesg->entry(0);
$entry->add(homePhone => "555 3035", pager => "555 4040");
$entry->delete("suburb");
$entry->replace(fax => "555 5050");
$entry->update($ldap);
Summary

To summarise, perl-ldap is a convenient and straightforward library for accessing LDAP servers with Perl scripts. Thus it provides a simple method for a system administrator to perform maintenance on systems serving large numbers of users, in much the same manner as they have been doing on existing flat-file /etc/passwd systems. Last winter, I used perl-ldap in scripts to help transfer 1.2 million users from our old Netscape Messaging Server system to our new, custom-built QmailLDAP servers. perl-ldap continues to prove invaluable for day-to-day maintenance of the same system.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Awesome Work

Vineet Niranjan's picture

Awesome codes and illustrations.
Would have appreciated more if the Acronyms were clear.

How to add UserAccountControl

Anonymous's picture

How to add user ACcount Control Parameter ,it not working ?

UID

Anonymous's picture

Cannot figure what the value of UID should be? I can dump all the contents with filter set as (objectclass=*) and get around 200 entries ; But, when I try to search for a particular UId, I do not get any results back. can anyone tell me what value should be put in for UID to search? I tried with filter=>"(uid=vinda)" filter=>"(uid=vinda norman)" filter=>"(uid=norman)" but no luck.

dn: CN=vinda Norman,OU=Users,OU=SysStaff,OU=SBCS,DC=ad,DC=cs,DC=sunysb,DC=edu
objectClass: top
cn: Vinda Norman
sn: Norman
givenName: Vinda
distinguishedName: CN=Vinda Norman,OU=Users,OU=SysStaff,OU=SBCS,DC=ad,DC=cs,DC=sunysb,DC=edu
instanceType: 4
whenCreated: 20080904132500.0Z
whenChanged: 20090906023318.0Z
displayName: Vinda norman
uSNCreated: 9019
memberOf: CN=System Staff Users,CN=Users,DC=ad,DC=cs,DC=sunysb,DC=edu
uSNChanged: 778762
name: Vinda Norman
objectGUID: *nÄsM¹lN_Aö
userAccountControl: 512
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 128975058670944212
lastLogoff: 0
lastLogon: 128975753602883244
pwdLastSet: 128965394154875698
primaryGroupID: 513
objectSid: ªl²p!Xù{®MZ
accountExpires: 9223372036854775807
logonCount: 267
sAMAccountName: vinda
sAMAccountType: 805306368
userPrincipalName: vinda@ad.cs.sunysb.edu

What happens if bind fails

Am's picture

$mesg = $ldap->bind("cn=admin,dc=leapster,dc=org", password=>"secret");

I tried this, but even with a wrong password, this line did not give an error.

you mean it still connects

Anonymous's picture

you mean it still connects to LDAP?

This tutorial has helped me

Ldap_guy's picture

This tutorial has helped me created a whole project in one week. This was exactly what i needed! Good job

use warnings; use strict;

Anonymous's picture

use warnings;
use strict;

perl-ldap vs. PerLDAP

Anonymous's picture

Not be be confused with another project, PerLDAP, which started back when Netscape was king. I had used PerLDAP for years, before perl-ldap even existed. It's now part of the Mozilla Foundation and is available here: http://www.mozilla.org/directory/perldap.html

The one downside is that it requires the Netscape Directory SDK. But it's free and available for almost any platform.

PerLDAP came after perl-ldap

Anonymous's picture

PerLDAP was originally Net::LDAPapi by Clayton Donley. Netscape announced taking over the module and renaming it PerLDAP at the second perl conference, which was held in San Jose in August 1998.

perl-ldap (Net::LDAP) and Net::LDAPapi projects were both started in 1997 about the same time.

PerLDAP can be difficult to get working though!

Anonymous's picture

I've been trying to get Bugzilla to work with PerLDAP, and while I can successfully compile the Netscape directory code, I can't get PerLDAP itself to compile - too many miconfigurations it appears, maybe some problems with versioning b/w PerLDAP & Netscape's SDK. Anyway, I gave up, and I now use Paul's patch to bugzilla which allows bugzilla to work with Net::LDAP. Cheers Paul.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix