next up previous contents
Next: Directory Software for Linux Up: thesis Previous: Access Control and Security   Contents

Subsections


Developing LDAP-enabled Software

Software development kits (SDK) greatly facilitate a programmer's job. They implement a protocol and allow access to it by a set of high-level functions--often called an Application Programming Interface (API). The programmer can thus concentrate on writing his application and does not need to worry about lower layer aspects of the protocol. LDAP SDKs are available for a wide range of programming languages5.1. The more important ones will be dealt with in the following section.


C

The ancestor of LDAP SDKs is the SDK included in the University of Michigan LDAP distribution. Its API was published in an informational RFC [27] which has been the normative reference for most SDKs--not just those for the C programming language. Since it describes how to build client applications that access an LDAPv2 service, work is underway to standardise an API for the additional elements of LDAPv3 [31]. Although this document is still in draft status, the functions described therein have been implemented by all current SDKs.

The C API closely follows the LDAP functional model. For each operation in LDAP (bind, search, compare, add, modify and delete) there exists a corresponding C function. For instance, a skeleton program to search the directory would look like this [87]:

LDAP *ld;
LDAPMessage *result, *e;
BerElement *ber;
char *a;
char **vals;


/* Initialize the connection to the LDAP server */
ld = ldap_init( HOSTNAME, PORT_NUMBER );


/* Authenticate with a plain text password */
ldap_simple_bind_s( ld, BINDDN, PASSWORD );


/* Search for entries that match FILTER and retrieve all attributes in ATTRIBUTES. */
ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_SUB, FILTER,
ATTRIBUTES, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result );


/* Iterate over the entries returned. */
for ( e = ldap_first_entry( ld, result );
e != NULL; e = ldap_next_entry( ld, result ) ) {

}




Most of the functions exist in a synchronous and asynchronous form. Upon calling a synchronous function the application will block until the result becomes available. Since this should not happen in applications that have a graphical user interface, the programmer should make use of the asynchronous interface in this case. A program written this way can initiate further requests, while it is still waiting for incoming results. It also enables the user to abort an ongoing operation that is taking longer than intended. The asynchronous interface however is by its very nature more complex to program.


Perl

Two libraries are available for developing LDAP-enabled software with Perl. First there is PerLDAP5.2, a Perl wrapper around the C SDK. Then there is Perl-LDAP5.3 which is written purely in Perl. While both modules support the basic LDAP operations as well as LDAP over SSL and import/export of LDIF5.4 files, only Perl-LDAP offers support for LDAPv3 controls, SASL authentication and schema management. It also includes a module for writing and reading data in the Directory Service Markup Language (DSML5.5), which is an XML dialect for representing directory information.


Java

Two SDKs are available for Java, which facilitate the writing LDAP-enabled programs. The first one is the Netscape Directory SDK for Java [75,101], which is modeled after the C API. It is also available in source code from the Mozilla project5.6. Standardisation of its API is currently a task for the LDAPext working group [32].

The other way to access LDAP directory services is by means of the Java Naming and Directory Interface (JNDI) [57]. It takes a more abstract approach than the Netscape SDK. JNDI provides a unified interface which can be used to access different directory services. For each such service a separate module must exist, which handles the underlying protocol (see Figure [*]). In JNDI 1.2 these so-called ``providers'' are available for LDAP, a CORBA naming service, NIS, DSML, DNS, native NDS and the local file system.

Figure: JNDI architecture [88]

JNDI takes the job of protocol management from the developer. In areas were high performance solutions are required, this additional abstraction layer might not be advisable. With the Netscape SDK the programmer has the choice ib deciding decide when new connections to the server need to be opened. It also allows for a pool of preconnected associations with the server. This can, for example, be used in Java Servlets to minimize the overhead of processing HTTP requests.


PHP

PHP5.7 is a server-based scripting language which is mainly used for building dynamic web sites. Its LDAP module is built using a C SDK and to date only supports LDAPv2. However, this is still sufficient to create a web front-end to a white-pages service.


Python

Python is an ``interpreted, interactive, object-oriented programming language''5.8. The ldap module for Python5.9 is a wrapper around an LDAPv2 C SDK and follows the API defined in [27]. However, return codes indicating an error are converted to a Python exception. Likewise, the native list datatype is used for arguments and return values of functions.


ADSI

ADSI is the acronym for Active Directory Service Interfaces [64] and is only available for the Windows platform. It is based on Microsoft's Component Object Model (COM) and thus can be used by any application that supports COM. Besides traditional development environments such as Visual C++ or Visual Basic this also allows macros in Microsoft Word and Excel or scripting languages like VBscript to access directory services.

Much like JNDI, ADSI offers an abstract object oriented interface that uses providers to access various data sources. Besides the ubiquitous LDAP support, providers exist for Windows NT 4.0 domain controllers, Novell Directory Services and IIS, Microsoft's Internet Information Server.

next up previous contents
Next: Directory Software for Linux Up: thesis Previous: Access Control and Security   Contents
Norbert Klasen 2001-10-22