LDAP Searches From Darn Near Anywhere
The search continues! In Part 3 of our four-part series, we look at performing LDAP search queries from e-mail clients, Web browsers and a command-line interface.
|» Part I: LDAP Searches Provide a Gateway to Company Data|
LDAP Search From Your E-mail Client
LDAP is most frequently accessed within e-mail clients to look up addresses and other information about users. At a large online university, many faculty find it useful to locate information about students by searching the comprehensive faculty and student LDAP directory.
Qualcomm's Eudora was one of the first commercial e-mail clients to support LDAP along with other directory protocols. You will find Directory Services under the Tools menu. Three LDAP-accessible directories are built into the client (BigFoot, OpenLDAP, Whowhere) but others can be added easily. The Eudora LDAP directory client is highly configurable. It allows you to set the attributes to return (in addition to or instead of the default settings): timeout limits, number of records to return, the heading for each attribute returned, word-wise or whole query search filter, and logging operations.
The difference between word-wise or whole query search filters needs a bit more explanation. In most cases, the word-wise query is sufficient. The default word-wise query is (cn=*^0*). This will return all records containing the entered strings. For example, entering Thomas Smith will return all records where the common name contains the string Thomas and Smith, including exact matches. The wildcards in the query mean that it will return all records regardless where these strings appear in the attribute value.
Alternatively, you can also use the OR (|) LDAP search compound filter in either query. For example, (|(cn=*^0*)(sn=*^0*)). This query would search all entered strings in both common name and surname. Watch out, because this could potentially be a rather lengthy search returning many records.
The whole query search filter can be used for powerful compound searches in addition to the word-wise query. For example, if you are looking for all matches on milo gadsen, the search filter would look like the following:
Whole-query: (cn=*^0*) Word-wise query: (|(cn=*^0*)(uid=*^0*)) [Common name = milo gadsen]
AND [(Common name = milo) OR (user id = milo) OR (Common name= gadsen) OR (user id = gadsen) ]
Outlook also supports LDAP. Its address dialog box interface and configuration are similar to Eudora. In Outlook 2xxx versions, LDAP search is installed by default. Look under the Tools menu if you wish to configure an LDAP address book. For more robust LDAP query functionality, third-party utilities like Maxware, Nexor, Siemens and others are available for purchase.
LDAP directory search functions are also available out of the box for Outlook Express. Like Eudora, Bigfoot, Verisign, and WhoWhere are pre-configured. It is easy to add new LDAP directories (including Microsoft's own Active Directory product). Configuration settings include binding id/password, port number, timeout, number of records to return, and searchbase.
Unlike Eudora, there are no pre-configured search queries that you can set - just a "use simple queries" check box. It is also possible to search and view results with the Address Dialog Box. See the LDAP URL discussion for details on how to use this feature. Another useful feature is that you can change which LDAP server to access at search time.
LDAP Search from a Web browser
Most versions of Internet Explorer, Netscape, and Mozilla fully support the LDAP URL syntax. The increasingly popular Opera browser does not support the LDAP URL today, but has announced plans to incorporate the functionality at a future date. LDAP Search can be accessed easily from your Web browser by typing the desired search string in the browser's address line. For more details about the required parameters, review the previous article in this series.
Use the following basic URL format for all of your searches:
ldap or ldaps://hostname:port/searchbase?attributes_to_return?search_scope?filter.
To give you a taste of how this all works, the following string typed in the browser address line will perform an anonymous search to donttrythis.luthcomputer.com.
The search base is ou=people,dc=luthcomputer, dc=com. The scope of the search is sub (retrieves one or more values from the search base until reaching the bottom of the directory tree.) The search filter searches for all records in the uk (U.K) and us (U.S.) localities. Arguments are delimited by question marks. Note that scope has two question marks because the "attributes to return" argument is not used. On most Windows Web browsers, if you enter just ldap://donttrythis.luthcomputer.com/ or the equivalent, an address book dialog box appears. (This uses the vCard standard as defined in RFCs 2425 and 2426.) This dialog box only allows searches on last-name or e-mail address.
Once the results are displayed, you can add them to your address book or browse for further information about a person. The address book dialog shows you only the standardized vCard contact information. It will not display those attributes in your directory that are not part of the vCard standard. For secure connections, LDAP supports SSL through the ldaps command.
LDAP search supports extensions such as binding to a particular id rather than just using an anonymous search. For example, ldap:///??base??bindname=cn=Admin is a fictional extension that allows you to bind with the Admin account.
For additional proprietary and public LDAP URL extensions supporting other types of connection schemes, consult your LDAP directory manual. RFC 2255 has one example of what an extension MIGHT look like, but alas there is no guarantee that it will be supported in your LDAP directory. Moreover, no canonical catalog of URL extensions exists in RFC 2255 or any other LDAP documentation.