2
'\" Copyright (c) 1998 NeoSoft, Inc.
4
'\" See the file "license.terms" for information on usage and redistribution
5
'\" of this file, and for a DISCLAIMER OF ALL WARRANTIES.
8
.TH ldap n "" Ldap "Ldap Tcl Extension"
10
'\" Note: do not modify the .SH NAME line immediately below!
12
ldap \- connect to and query an LDAP server
14
\fBldap \fBopen \fR \fIcommand\fR \fIhostlist\fR
16
\fBldap \fBinit \fR \fIcommand\fR \fIhostlist\fR ?protocol_version [2|3]?
18
\fBldap \fBexplode ?-nonames|-list?\fR \fIdn\fR
20
\fIcommand \fBsubcommand \fIoptions ...\fR
25
A new command by the name of \fIcommand\fR will be created to access
26
the LDAP database at \fIhostlist\fR. \fIhostlist\fR may contain elements
27
of the format \fBhost:port\fR if a port other than the default LDAP port
28
of 389 is required. The LDAP library will attempt to connect to each
29
host in turn until it succeeds or exhausts the list.
31
The \fBexplode\fR form provides a means (via ldap_explode(3)) to explode a DN
32
into its component parts. \fB-nonames\fR strips off the attribute names,
33
and -list returns a list suitable for \fBarray set\fR.
35
Finally, the last form, described in more detail below, refers genericly
36
to how the command created by the first two examples is used.
39
The Lightweight Directory Access Protocol provides TCP/IP access to
40
X.500 directory services and/or to a stand-alone LDAP server.
42
This code provides a Tcl interface to the
43
Lightweight Directory Access Protocol package using the Netscape
44
Software Development Kit. It can also be used with the freely
45
redistributable University of
46
Michigan (http://www.umich.edu/~rsug/ldap) version by defining the
47
UMICH_LDAP macro during compilation.
49
.SH CONNECTING TO AN LDAP SERVER
51
To create an ldap interface entity, we use the "ldap" command.
53
ldap open foo foo.bar.com
55
This opens a connection to a LDAP server on foo.bar.com, and makes
56
a new Tcl command, foo, through which we will manipulate the interface
57
and make queries to the remote LDAP server.
59
ldap init foo foo.bar.com
61
Same as above, foo is created, but for "init", opening the connection is
62
deferred until we actually try to do something.
64
The init command also allows some optional values to be set for the connection.
65
Currently, the only useful option is \fBprotocol_version\fR which take a
66
single argument to specify to use LDAP protocol 2 or 3. This may be required
67
when connecting to older LDAP server.
69
For the purposes of this example, we're going to assume that "foo" is the
70
command created by opening a connection using "ldap open".
74
After a connection is made to an LDAP server, an LDAP bind operation must
75
be performed before other operations can be attempted over the connection.
77
Both simple authentication and kerberos authentication are available.
78
LDAP version 3 supports many new "SSL"-style authentication and encryption
79
systems, which are not currently supported by the OpenLDAP v1.2 server, and
80
hence by this interface package.
82
Currently simple and kerberos-based authentication, are supported.
84
To use LDAP and still have reasonable security in a networked,
85
Internet/Intranet environment, secure shell can be used to setup
86
secure, encrypted connections between client machines and the LDAP
87
server, and between the LDAP server and any replica or slave servers
90
To perform the LDAP "bind" operation:
92
foo bind simple dn password
94
foo bind kerberos_ldap
96
foo bind kerberos_both
98
It either returns nothing (success), or a Tcl error with appropriate error
103
foo bind simple "cn=Manager,o=NeoSoft Inc,c=us" "secret"
105
If you attempt to bind with one of the kerberos authentication types
106
described above and your LDAP library was not built with KERBEROS
107
defined, you will get an unknown auth type error.
109
To unbind an LDAP connection previously bound with "bind":
113
Note that unbinding also deletes the command (\fBfoo\fR in this case).
114
Deleting the command has the same affect.
116
The ability of the library to callback to the client, enabling re-binding
117
while following referrals, is not currently supported.
121
To delete an object in the LDAP database, use
125
To rename an object to another relative distinguished name, use
127
foo rename_rdn dn rdn
129
To rename an object to another relative distinguished name, leaving
130
the old entry as some kind of attribute (FIX: not sure if this is
131
right or how it works)
133
foo modify_rdn dn rdn
136
.SH ADDING NEW OBJECTS
138
foo add dn attributePairList
140
This creates a new distinguished name and defines zero or more attributes.
142
"attributePairList" is a list of key-value pairs, the same as would
143
be returned by "array get" if an array had been set up containing the
146
foo add "cn=karl, ou=People, o=NeoSoft Inc, c=US" {cn karl ...}
148
Some directory servers and/or their client SDKs will automatically
149
add the leaf attribute value for you.
151
Here is a more precise description of how an attributePairList looks:
153
{cn {karl {Karl Lehenbauer}} telephone 713-968-5800}
155
Note here that two cn values, "karl" and "Karl Lehenbauer", are added.
156
Is it an error to write:
158
{cn {Karl Lehenbauer}}
160
Which adds two cn values, "Karl" and "Lehenbauer", when the intention
161
was to give a single cn value of "Karl Lehenbauer". In real life, one
162
finds oneself making prodigous use of the \fBlist\fR command rather than
163
typing hard-coded lists.
165
We have noticed that the Netscape server will automatically add the
166
left-most rdn portion of the DN (ie. cn=karl), whereas the University
167
of Michigan and OpenLDAP 1.2 versions do not.
169
.SH ADDING, DELETING, AND REPLACING OBJECT ATTRIBUTES
171
You can have multiple values for a given attribute in an LDAP object.
172
These are represented in search results, through the Tcl interface,
175
foo add_attributes dn attributePairList
177
This adds key-value pairs to an existing DN. If an attribute being
178
added already exists, the new value will be appended to the list.
179
If a particular value being added to an attribute already exists in
180
the object a Tcl error is raised.
182
foo replace_attributes dn attributePairList
184
This replaces the specified attributes in an existing DN, leaving
185
unnamed ones untouched. Any previous values for the supplied attributes
186
(if any) are discarded.
188
foo delete_attributes dn attributePairList
190
This deletes attributes in the list. If an attribute "foo" has the
191
value list {bar snap}, and you delete using the attributePairList "foo bar",
192
"foo" will still have "snap".
194
If you provide an empty string ("") for the value list,
195
the entire attribute will be deleted.
197
In Ldaptcl version 2.0, multiple operations may be combined into a single
198
transaction, ie. as in:
200
foo add_attributes dn attributePairList replace attributePairList \
201
delete attributePairList
205
The Tcl interface to searching takes a control array, which contains
206
a couple of mandatory key-value pairs, and can contain a number of
207
optional key-value pairs as well, for controlling the search, a
208
destination array, into which the specified attributes (or all attributes
209
of matching DNs if none are specified) and values are stored.
211
The "code" part is executed repeatedly, once for each DN matching the
215
foo search controlArray destArray code
217
Using data in the control array, a search is performed of the
218
LDAP server opened when foo was created. Possible elements
219
of the control array are enumerated blow.
221
controlArray(base) is the DN being searched from. (required)
223
controlArray(filter) contains the search criteria. (required)
225
controlArray(scope) must be "base", "one_level", or "subtree".
226
If not specified, scope defaults to "subtree".
228
controlArray(deref) must be "never", "search", "find", or "always"
229
If not specified, deref defaults to "never"
231
controlArray(attributes) is a list of attributes to be fetched.
232
If not specified, all attributes are fetched.
234
controlArray(timeout) a timeout value in seconds (may contain
235
fractional values -- extremely very small values are useful
236
for forcing timeout conditions to test timeouts).
239
For each matching record, destArray is populated with none,
240
some or all attribute-value pairs as determined by the request and
241
access control lists on the server.
243
Note: There are some additional parameters that can be set, such as
244
how long the synchronous version of the routines should wait before
245
timing out, the interfaces for which are not available in the current
250
foo compare dn attribute value
252
Interface to the ldap_compare_s() command.
253
Compares the value of \fIattribute\fR in the object at \fIdn\fR to the
254
\fIvalue\fR given in the command line. Returns an error if \fIdn\fR
255
does not exist. Otherwise, a
257
.SH CACHING (Note: Netscape clients do not have caching interfaces).
259
The UMich and OpenLDAP client libraries offers the client application fairly
260
fine-grained control of caching of results retrieved from searches,
261
offering significant performance improvement and reduced
264
By default, the cache is disabled.
266
To enable caching of data received from an LDAP connection,
268
foo cache enable timeout maxmem
270
...where timeout is specified in seconds, and maxmem is the
271
maximum memory to be used for caching, in bytes.
273
If maxmem is 0, the cache size is restricted only by the timeout.
277
...temporarily inhibits use of the cache (while disabled, new requests
278
are not cached and the cache is not checked when returning results).
280
Disabling the cache does not delete its contents.
284
...turns off caching and completely removes the cache from memory.
288
...deletes the entire cache contents, but does not affect
289
whether or not the cache is being used.
293
...removes from the cache all request results that make reference
296
This should be used, for example, after doing an add_attributes,
297
delete_attributes, or replace_attributes (ldap_modify(3))
298
involving the requested DN. Generally this should not be needed,
299
as the Tcl interface automatically performs this operation on
300
any dn that is modified (add,replace,delete) while caching is
305
...suppresses caching of any requests that result in an error.
307
foo cache size_errors
309
...suppresses caching of any requests that result in an error,
310
except for requests resulting in "sizelimit exceeded", which
311
are cached. This is the default.
315
...enables caching of all requests, including those that result
318
.SH IMPLEMENTATION DECISIONS
320
Because we used the new "Tcl object" C interfaces, this package only works
321
with Tcl 8.0 or above.
323
This package interfaces with the University of Michigan LDAP protocol
324
package, version 3.3, and OpenLDAP version 1.2, both of which are
325
implementations of version 2 of the LDAP protocol.
327
Although an LDAP client (or server) could be written in native Tcl 8.0,
328
as Tcl 8.0 and above can do binary I/O, and Tcl 8 and above have strings
329
that are fully eight-bit clean, for a first implementation, to minimize
330
compatibility problems, we created a C interface to the UMich LDAP library.
332
A native Tcl implementation would be cool because we could bring the receiving
333
of messages into the normal Tcl event loop and run the LDAP interface fully
336
This implementation is blocking, and blocking only. That is to say that
337
the Tcl event loop is frozen while the ldap routines are waiting on data.
339
This could be fixed either by recoding all of the I/O in the LDAP library
340
to use Tcl's I/O system instead, or by simply coding the LDAP interface in
341
native Tcl, as mentioned above.
343
Another advantage of coding in high-level Tcl, of course, is that the
344
client would immediately be cross-platform to Windows and the Mac, as
347
Binary data is not currently supported. It will probably be trivial to
348
add, we just haven't dug into it yet.
351
.SH FOR MORE INFORMATION
353
This document principally describes how to use our Tcl interface to the
356
For more information on LDAP and the University of Michigan LDAP package,
357
please visit the website mentioned above. The package includes substantial
358
documentation in the form of UNIX manual pages, a SLAPD/SLURPD guide
359
in Adobe Portable Document Format (pdf), and a number of Internet RFCs
360
related to LDAP services.
363
It was written by Karl Lehenbauer, of NeoSoft, Inc., in August and
364
September of 1997. Ldap explode, and numerous bug fixes and extensions
365
by Randy Kunkee, also of NeoSoft, Inc., in 1998-1999.
368
element, join, list, separator
370
The \fBldap init\fR syntax fails to return anything useful. Use
371
\fBldap open\fR instead.
373
\fBPackage require Ldaptcl\fR won't work unless the ldap and lber libraries
374
are also shared, and ldaptcl.so is itself created with the correct flags
375
(eg. -R for Solaris). In short there's a lot of details to make this part
376
work, but it should work out of the box for Solaris. Other systems may
377
require that LD_LIBRARY_PATH or other appropraite environment variables
378
be set at build and/or runtime.
380
An asynchronous interface should be provided with callbacks.
382
We have never tested Kerberos authentication.
384
It does not tolerate some illegal operations very well.
386
It is possible to create empty attributes, ie. attributes which are present
387
but have no value. This is done by deleting the attribute values rather
388
than, eg. "foo delete_attributes dn {telephone {}}" which would delete
389
the telephone attribute altogether. A search for presence of the attribute
390
may return an object, and yet it may have no value. This interface presents
391
such an object as not having the attribute at all (ie. you cannot tell).
392
The Netscape SDK does this for you, so this makes the behavior consistent
393
when using UMICH_LDAP.
395
\--enable-netscape configuration support has not been tested and probably