Searching Active Directory with Perl
In the first installment of this series, I introduced PHP's LDAP functionality, and demonstrated just how easy it was to create PHP scripts that talked to Microsoft's Active Directory product. In this installment, we'll take a look at another language offering great LDAP support: Perl.
In true TMTOWTDI (There's More Than One Way To Do It; The official motto of Perl) fashion, several LDAP packages exist for Perl. I've had the pleasure of experimenting with all of them, and have become particularly partial to perl-ldap. Created by Graham Barr and now a SourceForge project under development in conjunction with several individuals, perl-ldap offers a great collection of object-oriented modules used to communicate with an LDAP server. Because it's written entirely in Perl, it, as well as all code written using it, is 100% compatible on any platform capable of running the Perl interpreter. In the following pages, you'll learn about basic module functionality, with a special focus on its search capabilities. We'll cap off the article with a real-World example involving the use of a Perl script to create cached user contact directories based on the information stored within our directory server. You can view an example of this in action on the Fisher College of Business Web site.
Note. As was the case with the first article, although the focus of the article is on integration of Perl and Active Directory, you should be able to easily adapt these examples to almost any LDAP implementation. In fact, many of the examples will run without modification on other LDAP servers.
Prior to embarking upon an introduction of the core topics of this article, there are a few preliminary items which should be kept in mind.
I'll assume that you're at least somewhat acquainted with Perl, LDAP and their respective syntax. Furthermore, in addition to a working directory server, you'll need to ensure that you have the following items in order.Perl
For those of you interacting with the directory server via a Unix-based platform, Perl is likely already available on your system. If it isn't, head on over to the official Perl Web site and pick up the latest release. If you're planning on communicating with Active Directory from a Windows platform, ActiveState's ActivePerl is now the recommended distribution. You can download the latest version at Activestate's Web site.A Perl LDAP Library
Regardless of the operating system, you'll need to ensure that LDAP functionality is available to your Perl installation. Again, although there are several LDAP interfaces for Perl, I find the perl-ldap package to be particularly appealing. You can learn more about perl-ldap here.The Convert::ASN1 Module
LDAP requires this module in order to make the necessary conversions of the LDAP commands to and from the BER (Basic Encoding Rules) used to transfer the data between the server and the client. You can install this module using CPAN.Firewall Adjustments
If you intend to work with a directory server residing outside of your local network, some firewall adjustments may be required. By default, LDAP connections take place over port 389; if your directory server supports secure connections (LDAPS. The perl-ldap package offers Net::LDAPS should you require secure communication. See the perl-ldap Web site for more information about requirements.), you'll need to open port 636. Therefore, you'll need to adjust your firewall to allow for access via at least these two ports, if not already enabled.
Key Net::LDAP Functions
In this section I introduce several of perl-ldap's key functions. Specifically, you'll learn how to initiate a new connection, authenticate, close an existing connection, and search the server, in that order.
Note. The perl-ldap distribution actually offers three modules, Net::LDAP, Net::LDAPS, and Net::LDAPI, used to communicate with an LDAP server via a standard, secure, and a UNIX domain socket, respectively. Save for a minor change to the new() method's input arguments for Net::LDAPI, the methods described in this section operate identically for each methodology.
new(host [, options])
The Net::LDAP module is object-oriented, meaning that a new object must be created prior to using any of the module's functionality. This module's constructor will also establish a connection to the directory server, done by passing the address of the directory server (either by hostname or IP address) to the constructor. The constructor also takes as input one or several options which serve to modify the default behavior of the connection. A few of the more commonly used options are listed here:
- port => N: Specifies the connection port on the remote server.
- timeout => N: Denotes the number of seconds that will be devoted to attempting to establish a new connection.
- debug => N: Determines the debugging level. Setting this to 1 will dump outgoing packets to STDERR, while setting it to 2 will dump incoming packets.
- version => N: You can override the default protocol version of LDAPv3 with this option.
An example follows:
#!/usr/bin/perl use Net::LDAP; $ad = Net::LDAP->new(.ldap://ad.wjgilmore.com.) or die(.Could not connect to LDAP server..);