Chapter 12. LDAP module
Prev   Next

Chapter 12. LDAP module

Table of Contents

LDAP directories
Distinguished name
Base DN
Example entry
Example of a directory information tree
Connection without the application module
Rebinding
Cloning
Closing the connection
Manipulation
Escaping a DN
Comparing attribute values
Inserting
Modifying
Deleting
Copying
Moving
Renaming
Query
Escaping a filter
Fetching
Listing
Searching
Results
Counting
Sorting
Fetching
Entries
Retrieving the entry's DN
Reading and writing attributes
Iterating over the entry's attributes
Converting to an array

The LDAP module provides a simplified interface to perform common LDAP operations. The Lightweight Directory Access Protocol is used to access directory servers. LDAP support must be enabled in PHP in order to use the LDAP module.

LDAP directories

A directory is used to store data, organized according to classes and presented in a hierarchical tree-like structure. The most common example is a directory containing a list of people. You can however store many other things like UNIX accounts, personal data (like an address book), pictures of people, identification data and more generally anything that can be named and to whom we can attach information.

A directory's structure can be compared to a file system. A directory contains entries like a folder would contain files. Each entries contain attributes inside it, with each attribute containing one or more values. Entries at the same level of a directory generally contain similar information.

A directory could contain information about people, with one entry per person. Then for each person you would have various information, also called attributes. For example a common name, surname, phone number, email address, etc. The attributes may contain one or more values. For example each person only have one common name but may have more than one phone number.

Each entry contain an attribute named objectClass that defines what kind of object it is. The class determine the attributes available for the object. For example when objectClass = person the entry contains the required attributes objectClass, cn (common name) and sn (surname) and the optional attributes description, seeAlso, telephoneNumber and userPassword.

There is three different kinds of object classes:

  • Structural class: basic description of objects in the directory. One entry is always an instance of one structural class. For example people, group, organizational unit.

  • Auxiliary class: adds complementary information to entries. For example mailRecipient adds various attributes related to the mailbox of a person.

  • Abstract class: represents system LDAP objects like top or alias.

You can refer to the documents Schema and Schema for User Applications for more information.

Distinguished name

Each entry has an attribute that is unique among all siblings of a single parent. This unique attribute is called the Relative Distinguished Name (RDN). It means that we can uniquely identify any entry within a directory by combining the RDNs of all the entries in the path from the desired node to the root of the tree. This string created by combining RDNs to form a unique name is called the node's Distinguished Name (DN).

The DN is like the absolute path between the root of a filesystem and a file, a RDN is like a filename.

Base DN

The top level of the LDAP directory tree is the base, referred to as the base DN. A base DN usually takes this form: dc=example, dc=com. The URL is split into domain components: example.com becomes dc=example, dc=com.

Example entry

This is an example of an entry for an UNIX user. 

dn: uid=lskywalker, ou=people, dc=example, dc=com
objectclass: person
objectclass: posixAccount
givenname: Luke
sn: Skywalker
cn: Luke Skywalker
uid: lskywalker
userpassword: {crypt}b4Rda3JgvHs
uidnumber: 1234
gidnumber: 1200
telephonenumber: 5555-1234
homedirectory: /home/lskywalker
loginshell: /bin/sh

The first line is the DN, also repeated here: 

dn: uid=lskywalker, ou=people, dc=example, dc=com

The RDN for this entry is uid=lskywalker. The full DN can be translated as the user whose User IDentifiant (uid) is lskywalker and belongs to the Organizational Unit (ou) people, in the Domain Component (dc) example.com.

The objectclass attribute determines the required and optional attributes. 

objectclass: person
objectclass: posixAccount

The object class person requires the cn (common name) and sn (surname) fields values and allows optional fields like givenname or telephonenumber. The object class posixAccount requires information relative to an account, like uidnumber, guidnumber, homedirectory and more.

Example of a directory information tree

This schema represents a DIT from which we based our example entry. 

                         dc=com
                           |
                      dc=example
                      /    |    \
                     /     |     \
                    /      |      \
          ou=People  ou=Group  ou=Computers
              /      |
             /       |
            /        |
           /         |
          /          |
         /           |
        /            |
 cn=Luke Skywalker  cn=Chewbacca

Prev   Next
Sessions Home Connection without the application module