While crafting the namespace structure is critical to the directory administrator, the LDAP operations are at the heart of the client-to-server interaction. The LDAP operations are therefore what the typical user of your directory needs to know about, although good client software abstracts even this interaction from view. Users probably need only the search operation, which happens to be the most detailed operation. There are ten primary operations defined by the LDAP standard. Administrators and programmers use this full set as they manage directory information and create special business processes that interact with the directory information. This chapter describes the purpose of each of the ten operations, and along the way I discuss issues that relate to the client-server interaction.
The LDAP client is what a user sees of a directory
One of the most obvious topics involved in the client-server interaction is the LDAP client itself. The client software is the key to people finding the LDAP directory useful and easy to use. If the client software requires people to understand this book, or even a fraction of this chapter, they won't use the directory. Therefore, well-designed applications that hide LDAP from users are important. Because the search operation is the most prominent operation, it is addressed early in the chapter. You can explore how to create complex searches, how to use comparison operators, and what client options affect the search operation. By understanding how the client should work and what the common client configuration options are, you can educate users even if the client software isn't friendly.
LDAP operations, extensions, client services, and APIs are examined
After addressing the topics of immediate concern to users, I turn next to other standard operations and technical topics connected with the LDAP operations. In addition, I examine some extended operations and controls that can make an LDAP directory more valuable. The chapter ends with a look at the details of using an LDAP API. An organization that is developing a directory-enabled application or service needs to look at these details. Directory users will employ LDAP client software that was written using these underlying APIs, but typical users won't need to know about the API. For example, a programmer might design a program that automatically fills out all the paper forms needed when a new employee joins the organization. The new executive at Mycompany that was introduced in Chapter 1 would have a less painful first day with such a program in place. These standard APIs are the primary reason why LDAP is such a popular choice, because they work regardless of the client's operating system, making a multiplatform implementation possible. Appendix A summarizes the standard C version of the API, as defined in RFC 1823. In addition, this chapter takes a brief look at some of the functions in the C version of the API.
Many applications benefit from being able to interact with the directory to find information. An application or service that is capable of being an LDAP client is called directory-enabled.
Applications that can interact with a directory are called directory-enabled
Many e-mail services are directory-enabled
Among the most common directory-enabled applications are e-mail services. When an e-mail server receives an e-mail, it can query the directory to find out whether the e-mail address recipient resides at the local site and what e-mail server that person's mailbox resides on. Centralizing this information in the directory simplifies the administration of the e-mail servers by eliminating the need for a synchronized copy of this information on each e-mail server. For example, sendmail is a common UNIX mail server that can be directory-enabled (for more details, see Appendix C). Microsoft recognized the importance of directory-enabling their mail server, Microsoft Exchange 2000, and has integrated it with Active Directory (see Chapter 7).
E-mail clients can also be directory-enabled
Similarly, e-mail clients can be directory-enabled, and they provide a valuable service by looking up a destination e-mail address given a person's name. Several e-mail clients allow the user to browse a directory via an interface within the e-mail application and pick out recipients for an e-mail.
The limits of directory-enabled services haven't been reached yet
Directory-enabled services have few boundaries. For example, you could use an LDAP directory
As a certificate authority store associated with public-private certificate technology. This also allows you to provide a service to verify the validity of those certificates.
To catalog the location of HTML and other types of electronic documents. You could then query and return a list of appropriate documents, just as a library catalog would do.
Microsoft's Active Directory LDAP implementation is a good example of how a variety of directory-enabled services can be integrated. Via Microsoft's Active Directory, software can be distributed to computers, user and computer configurations can be set, printers can be advertised to clients, and so on. Clearly, there are significant benefits to centralizing information in a directory, especially information that helps manage resources.
Mycompany simply needs creativity and integrated services that take advantage of the directory to realize this potential.
An LDAP operation consists of a client request, server work, and the results
All the LDAP operations consist of the client sending the operation request along with parameters to the server. The server then performs the operation and sends a result code back to the client. The result code indicates the success or failure of the operation. When the operation is a search operation, the server sends all the entries that match the search parameters prior to sending the result code. There is no read operation, so if a directory user wants to read a specific entry, she must perform a search operation specifying the entry.
Search parameters define what entries the server returns to the client and how it finds those entries
The search operation has many parameters that modify how the server performs the operation. There are mandatory parameters that are required or the search will fail, and there are optional parameters that have default values if not set otherwise. The search parameters affect only the single search operation for which they are set. Should you want to modify all LDAP operations for a session, you must use an LDAP option, if there is an appropriate one. LDAP options are discussed a little later in this chapter. Do not confuse LDAP options with optional search parameters or the attribute options introduced in Chapter 4.
Where does the server begin looking?
The mandatory search parameters are
A base DN to begin your search—. An idea of how the directory is structured is helpful here. In other words, if you want to look up person entries, are they all in a common container? The base DN is sometimes also called the baseObject. If I didn't know where to begin, I could start at the root of the directory. In Mycompany's directory, this would be dc=mycompany,dc=com
. So at a minimum, I must know the naming contexts of the directory.
How far does the server look?
The scope of the search—. There are three options for the scope. A base
scope means to search only the single entry at the base DN. A one
scope means to search all entries at the same level in the hierarchy within the container of the base DN. A subtree
scope means to search the base DN and all entries beneath the base DN, regardless of their level in the hierarchy.
What special characteristics do the entries have?
A search filter—. Search filters are composed of an attribute type, a comparison operator, and an attribute value. These three components are surrounded by parentheses and form a search filter item. The simple syntax of the search filter item is "("attributetype operator attributevalue")"
with no spaces between any of these mandatory elements. The quotation marks enclose text that is constant in the syntax. For example, (objectclass=person)
would be a valid search filter item. One or more search filter items can be combined with filter operators to form the search filter, so the example is also a valid search filter. Filter operators are introduced shortly.
To illustrate the use of a search filter, if I wanted to find my entry as shown in Figure 3-1, I might use the following search parameters:
Base DN: |
|
Scope: |
|
Search Filter: |
|
You can use filter operators to combine filters
You can combine filter items within the search filter parameter by using filter operators. Filter operators can modify a filter item specified within the search filter parameter, and they can be used to combine multiple filters to designate intricate sets of entries.
The filter operators available are
& AND
| OR
! NOT
These operators should precede the filter they modify. This precession is very similar to how functions in the LISP language or operations in reverse polish calculators are represented. The following filters illustrate the use of the filter operators with the directory shown in Figure 3-2. All the examples provided assume a base DN at the root of the directory, along with a subtree
scope.
The filter
(|(cn=Brian Arkills)(cn=Chewbacca))
returns the entries of Chewbacca and me.
The filter
(!(|(cn=Brian Arkills)(cn= Chewbacca)))
returns all entries in the entire directory except Chewbacca or my entry, so it would return the entries of cn=Princess Leia
, cn=Han Solo
, uid=barkills
, upn=441276
, upn=239316
, as well as the ten ou
entries pictured. Containers are still entries.
The filter
(&(!(|(cn=Brian Arkills)(cn=Chewbacca)))(objectclass=inetOrgPerson))
finds all the inetOrgPerson
entries except Chewbacca's or my entry, so it would return the entries of Princess Leia and Han Solo.
Search filters are the most dynamic and interesting parameter in the LDAP search operation. For more details on search filters, see the following section, Search Filters.
Should the server return the entire entry or just some of the attributes?
The optional search parameters are
What attribute information to return—. If you don't specify what you want, all the attributes of the entries the server finds will be returned. You can list the attribute types you want in a list separated by commas. The operational attributes, which are the attributes that the directory uses for its own purposes, are never returned unless explicitly specified. You can also specify that no attributes should be returned by denoting the attribute 1.1. This designation holds significance as a special OID number that is not associated with any attribute type. See Chapter 4 for more information on both operational attributes and OID numbers.
How should the server treat alias entries?
derefAliases
—. Denotes how to deal with alias entries. An alias entry is a dummy entry that references or points to another entry. Dereferencing an alias simply instructs the server to go to the object that the alias references, and for the purposes of the search, treat the referenced object as if it were the alias object. The following options are available (for more information on alias entries, see Chapter 5):
neverDerefAliases
Don't look up any alias reference.
derefInSearching
Look up all alias references except on the baseObject.
derefFindingBaseObj
Look up alias references only on the baseObject.
derefAlways
Look up all alias references.
How many entries should the server return?
sizeLimit
—. Limits the number of entries to return on the search. The default value of 0 denotes no limit. If a search finds more entries than what is specified as the limit, only the first set number is returned. In this case, a result code of LDAP_SIZELIMIT_EXCEEDED
is returned to indicate that more results were available.
Settings in other places can modify the effects of this parameter
Many LDAP server implementations allow the directory administrator to set a mandatory upper sizeLimit
for all client operations. In this case, the client can set a limit with a lower value, but limits greater than the server limit are disregarded. Some LDAP servers have a special user that can override the size limit. Another modifier called an LDAP control can be used to tell the server to send the results back to the client in pages. For example, the directory might have a sizeLimit
of 50, and a search that yields 100 entries normally only returns the first 50. But if I ask for a page size of 50, the server would send the first 50 entries to my client, then the second 50, and I'd see all the entries. LDAP controls are modifiers that apply to a single LDAP operation. LDAP controls, including this one, are discussed later in this chapter.
How long should the server work on this request?
timeLimit
—. Limits the time in seconds allowed to complete the search. The default value of 0 denotes no limit. If a search operation takes longer to complete than the specified limit, the operation will finish at the time limit. Only the entries found in this time period are returned. In this case, a result code of LDAP_TIMELIMIT_EXCEEDED
is returned to indicate that more results were available. Some LDAP server implementations allow the directory administrator to set a mandatory upper timeLimit
for all client operations. Some LDAP servers have a special user that can override the server time limit. The client can set a limit with a lower value, but limits greater than the server limit are disregarded.
Does the client want the attribute pair or just the type?
typesOnly
—. If set to true
, the results will list only the attribute types, not the values. The default value of false
denotes that both the attribute types and values should be returned.
You use match operators to limit the attribute values specified in the search filter
In addition to the filter operators, other operators, called match operators or comparison operators, can modify the search filter. Most documentation on the subject confuses match operators with filter operators. But match operators do not operate on the entire filter expression, only on the attribute value. The match operators are usually common mathematical operators, such as equality or greater than or equal. You use match operators to help designate the entries that match the attribute value parameters desired. The operations used to match vary depending on the specific type of data stored in the attribute. Most attributes store some type of string value, in other words, text. Therefore, the most common match operators you will use are string match operators. Here are the string match operators:
= Equality—. We have already looked at a few examples together.
<= Less than or equal to—. (sn<=Arkills)
would return entries alphabetically prior to Arkills in addition to Arkills, for example sn=Adams
. Note that in combination with the not filter operator, you can create a greater-than operation that doesn't include the entry that is equal.
>= Greater than or equal to—. (sn>=Arkills)
would return entries after Arkills in addition to Arkills, for example sn=Chewbacca
. Note that in combination with the not filter operator, you can create a less than operation.
~= Approximate—. (sn~=Cat)
would return entries like sn=Scat
, sn=Cast
, sn=Hat
, and sn=Mat
. The algorithm employed for the approximate match filter varies depending on the implementation, so these examples may not work in your environment. Usually a single character wildcard is permitted in any position, but this is not standardized, and the approximate match operator isn't always implemented.
You can use a wildcard to match substring values
Finally, you use the asterisk (*) as a wildcard for zero or more characters in the values of strings. You can use the wildcard by itself to detect the presence of an attribute or in combination with other characters to find substrings. In the example directory shown in Figure 3-3, a search filter of (cn=*Skywalker)
would return the entries of both Luke and Anakin Skywalker. Both the presence and substring capabilities that the wildcard provides are very useful.
The available match operators are linked to the type of the attribute
As noted already, the list contains only the match operators for the string type. There are other match operators for other types of data. However, most of these operators work with other data types because these operators are fairly common across all the syntaxes.
New match operators can be defined with LDAP v3
LDAP v3 lets you define additional match operators and rules in the schema for specific data types. How you define these match operators for data and attribute types is covered in Chapter 4, in the section on attribute-matching rules. You can specify these extended match operators in the search filter by using an extended match filter syntax, which is slightly different from the simple search filter syntax already described. The extended syntax of the search filter is
"(" attributetype [":dn"] [":" extendedoperator] ":=" attributevalue ")"
The optional elements are in [brackets]. The extended operator is usually an OID, but a descriptive name can also be assigned in the schema and used here in the filter.
The filter (cn:1.2.3.4.987:=Brian Arkills)
would match any entry by comparing “Brian Arkills” with the values in their cn
attributes, using the matching logic defined by the matching rule denoted by OID 1.2.3.4.987. Should this OID not denote a matching rule that the directory supports (and in this case the OID is a fabrication of the author), the directory will return an error code.
The DN of entries can be searched with an extended match filter
Extended match filters also let you search the DN of an entry for value matches. This may be a bit confusing at first. An entry's DN contains all the RDNs of the object above it in the directory structure. These RDNs may or may not be attributes of the entry. So if you wanted to find all the entries with ou=People
in the DN, you would need to use an extended match filter. Now you may be thinking, “Why wouldn't you use a search with a base DN at the People
OU, and a one-level scope?” This seems to accomplish the same thing. But consider the possibility that a referral might reside in the People
OU. The more simple search would return records via this referral that technically do not have ou=People
in their DN. Also consider the possibility that there might be more than one container with an RDN of ou=People
in the directory. In this case, a single search without extended match filters would fail to capture all the entries. Multiple searches would work, but that approach might be inconvenient. Not all LDAP servers support extended match filter searching for DNs.
You must treat special characters differently when they are used in the attribute value portion of an LDAP search filter
There are several special characters that must be treated differently when used in the attribute value portion of a search filter. You must escape these characters just as you had to escape the special characters in the DN or LDAP URL format. Table 3-1 lists the special search filter characters along with the escaped character sequence.
You must use the hexadecimal value of the character, which is different from quoting the special characters in DNs.
The server does most of the work
The LDAP client-server session minimizes client processing overhead. The server is responsible for performing the operations requested and bears the processing load, while satisfying the client request. In the client-server model, the server is designed to handle large computing loads, with larger processing and memory capacity, while the client may have little to no computing power. After the server performs the requested operation, the client receives a response or error from the server. The client does little work other than sending the request and receiving the answer.