WARNING: This server provides a static reference view of the NetKernel documentation. Links to dynamic content do not work. For the best experience we recommend you install NetKernel and view the documentation in the live system .

LDAP Guide

LightWeight Directory Access Protocol (LDAP) is a widely supported standard for accessing directory information over the internet. The mod-ldap library provides tools for working with LDAP servers and allows simple scripts to update, search, delete and validate LDAP records.

The library is oriented around the use of DSML v2.0 language. DSML is a simple XML syntax for LDAP operations - this syntax is simple to learn and is best illustrated with some examples...

The ldapBatch accessor can be used to perform operations on an LDAP server. The following examples show DSML syntax for common operations - all of these examples are performed using the ldapBatch accessor...

Add Example

Here is a DSML request which adds a new entry with Distinguished Name cn=Test,ou=1060Research,dc=1060,dc=org.

<ds:batchRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" processing="parallel">
  <ds:addRequest dn="cn=Test,ou=1060Research,dc=1060,dc=org">
    <ds:attr name="objectclass">
      <ds:value>top</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>person</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>organizationalPerson</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>inetOrgPerson</ds:value>
    </ds:attr>
    <ds:attr name="cn">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="sn">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="givenName">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="title">
      <ds:value>A Test Addition</ds:value>
    </ds:attr>
  </ds:addRequest>
</ds:batchRequest>

This request is made using the ldapBatch accessor and will return a DSML response document.

Search Example

Here is some DSML to perform two searches - the first looks for all entries who's surname (sn) matches either 'rod' or 'but'. The second search looks for matches 'Tes' on the sn field...

<ds:batchRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" processing="parallel">
  <ds:searchRequest dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000">
    <ds:filter>
      <ds:or>
        <ds:substrings name="sn">
          <ds:any>rod</ds:any>
        </ds:substrings>
        <ds:substrings name="sn">
          <ds:any>but</ds:any>
        </ds:substrings>
      </ds:or>
    </ds:filter>
  </ds:searchRequest>
  <ds:searchRequest dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000">
    <ds:filter>
      <ds:substrings name="sn">
        <ds:any>Tes</ds:any>
      </ds:substrings>
    </ds:filter>
  </ds:searchRequest>
</ds:batchRequest>

The DSML response contains the matching entries for each of the searches.

Complex Example

Here is complex example - the operations performed sequentially are as follows...

  • Add a new entry under the 1060Research organization unit
  • Search for sn matching 'Test'
  • Modify the entry Test - change mail, sn, etc
  • Change the distinguished name for Test to cn=John Smith,ou=1060Research,dc=1060,dc=org
  • Assert that the sn is Smith for cn=John Smith,ou=1060Research,dc=1060,dc=org
  • Delete the John Smith entry


<!-- *************** A multistage set of DSML operations on an LDAP directory *************** -->
<ds:batchRequest xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:ds="urn:oasis:names:tc:DSML:2:0:core" processing="sequential">
  <!-- *************** Add a new entry under the 1060Research organization unit *************** -->
  <ds:addRequest dn="cn=Test,ou=1060Research,dc=1060,dc=org">
    <ds:attr name="objectclass">
      <ds:value>top</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>person</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>organizationalPerson</ds:value>
    </ds:attr>
    <ds:attr name="objectclass">
      <ds:value>inetOrgPerson</ds:value>
    </ds:attr>
    <ds:attr name="cn">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="sn">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="givenName">
      <ds:value>Test</ds:value>
    </ds:attr>
    <ds:attr name="title">
      <ds:value>A Test Addition</ds:value>
    </ds:attr>
  </ds:addRequest>
  <!-- *************** Search for sn matching 'Test' *************** -->
  <ds:searchRequest dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000">
    <ds:filter>
      <ds:substrings name="sn">
        <ds:any>Test</ds:any>
      </ds:substrings>
    </ds:filter>
  </ds:searchRequest>
  <!-- *************** Modify Test - change mail, sn, etc *************** -->
  <ds:modifyRequest dn="cn=Test,ou=1060Research,dc=1060,dc=org">
    <ds:modification name="mail" operation="add">
      <value>test@1060.org</value>
    </ds:modification>
    <ds:modification name="sn" operation="replace">
      <value>Smith</value>
    </ds:modification>
    <ds:modification name="mail" operation="replace">
      <value>j.smith@1060.org</value>
    </ds:modification>
    <ds:modification name="givenName" operation="replace">
      <value>smithy</value>
    </ds:modification>
  </ds:modifyRequest>
  <!-- *************** Change the distinguished name to cn=John Smith,ou=1060Research,dc=1060,dc=org *************** -->
  <modDNRequest dn="cn=Test,ou=1060Research,dc=1060,dc=org" newrdn="cn=John Smith" deleteoldrdn="true" newSuperior="ou=1060research,dc=1060,dc=org" />
  <ds:searchRequest dn="dc=1060,dc=org" scope="wholeSubtree" derefAliases="neverDerefAliases" sizeLimit="1000">
    <ds:filter>
      <ds:substrings name="sn">
        <ds:any>Smith</ds:any>
      </ds:substrings>
    </ds:filter>
  </ds:searchRequest>
  <!-- *************** Assert that sn is Smith for this dn *************** -->
  <ds:compareRequest dn="cn=John Smith,ou=1060Research,dc=1060,dc=org">
    <ds:assertion name="sn">
      <ds:value>Smith</ds:value>
    </ds:assertion>
  </ds:compareRequest>
  <!-- *************** Delete the John Smith entry *************** -->
  <ds:delRequest dn="cn=John Smith,ou=1060Research,dc=1060,dc=org" />
</ds:batchRequest>

License and Acknowledgements

This library uses the jldap library from OpenLDAP contributed by Novell and which is licensed under the Open LDAP License