LDAP Searches From Darn Near Anywhere
|» Part I: LDAP Searches Provide a Gateway to Company Data|
LDAP Search From Your E-mail Client
LDAP is most frequently accessed within e-mail clients to look up addresses and other information about users. At a large online university, many faculty find it useful to locate information about students by searching the comprehensive faculty and student LDAP directory.
Qualcomm's Eudora was one of the first commercial e-mail clients to support LDAP along with other directory protocols. You will find Directory Services under the Tools menu. Three LDAP-accessible directories are built into the client (BigFoot, OpenLDAP, Whowhere) but others can be added easily. The Eudora LDAP directory client is highly configurable. It allows you to set the attributes to return (in addition to or instead of the default settings): timeout limits, number of records to return, the heading for each attribute returned, word-wise or whole query search filter, and logging operations.
The difference between word-wise or whole query search filters needs a bit more explanation. In most cases, the word-wise query is sufficient. The default word-wise query is (cn=*^0*). This will return all records containing the entered strings. For example, entering Thomas Smith will return all records where the common name contains the string Thomas and Smith, including exact matches. The wildcards in the query mean that it will return all records regardless where these strings appear in the attribute value.
Alternatively, you can also use the OR (|) LDAP search compound filter in either query. For example, (|(cn=*^0*)(sn=*^0*)). This query would search all entered strings in both common name and surname. Watch out, because this could potentially be a rather lengthy search returning many records.
The whole query search filter can be used for powerful compound searches in addition to the word-wise query. For example, if you are looking for all matches on milo gadsen, the search filter would look like the following:
Whole-query: (cn=*^0*) Word-wise query: (|(cn=*^0*)(uid=*^0*)) [Common name = milo gadsen]
AND [(Common name = milo) OR (user id = milo) OR (Common name= gadsen) OR (user id = gadsen) ]
Outlook also supports LDAP. Its address dialog box interface and configuration are similar to Eudora. In Outlook 2xxx versions, LDAP search is installed by default. Look under the Tools menu if you wish to configure an LDAP address book. For more robust LDAP query functionality, third-party utilities like Maxware, Nexor, Siemens and others are available for purchase.
LDAP directory search functions are also available out of the box for Outlook Express. Like Eudora, Bigfoot, Verisign, and WhoWhere are pre-configured. It is easy to add new LDAP directories (including Microsoft's own Active Directory product). Configuration settings include binding id/password, port number, timeout, number of records to return, and searchbase.
Unlike Eudora, there are no pre-configured search queries that you can set - just a "use simple queries" check box. It is also possible to search and view results with the Address Dialog Box. See the LDAP URL discussion for details on how to use this feature. Another useful feature is that you can change which LDAP server to access at search time.
LDAP Search from a Web browser
Most versions of Internet Explorer, Netscape, and Mozilla fully support the LDAP URL syntax. The increasingly popular Opera browser does not support the LDAP URL today, but has announced plans to incorporate the functionality at a future date. LDAP Search can be accessed easily from your Web browser by typing the desired search string in the browser's address line. For more details about the required parameters, review the previous article in this series.
Use the following basic URL format for all of your searches:
ldap or ldaps://hostname:port/searchbase?attributes_to_return?search_scope?filter.
To give you a taste of how this all works, the following string typed in the browser address line will perform an anonymous search to donttrythis.luthcomputer.com.
The search base is ou=people,dc=luthcomputer, dc=com. The scope of the search is sub (retrieves one or more values from the search base until reaching the bottom of the directory tree.) The search filter searches for all records in the uk (U.K) and us (U.S.) localities. Arguments are delimited by question marks. Note that scope has two question marks because the "attributes to return" argument is not used. On most Windows Web browsers, if you enter just ldap://donttrythis.luthcomputer.com/ or the equivalent, an address book dialog box appears. (This uses the vCard standard as defined in RFCs 2425 and 2426.) This dialog box only allows searches on last-name or e-mail address.
Once the results are displayed, you can add them to your address book or browse for further information about a person. The address book dialog shows you only the standardized vCard contact information. It will not display those attributes in your directory that are not part of the vCard standard. For secure connections, LDAP supports SSL through the ldaps command.
LDAP search supports extensions such as binding to a particular id rather than just using an anonymous search. For example, ldap:///??base??bindname=cn=Admin is a fictional extension that allows you to bind with the Admin account.
For additional proprietary and public LDAP URL extensions supporting other types of connection schemes, consult your LDAP directory manual. RFC 2255 has one example of what an extension MIGHT look like, but alas there is no guarantee that it will be supported in your LDAP directory. Moreover, no canonical catalog of URL extensions exists in RFC 2255 or any other LDAP documentation.
Continued on Page 2: LDAP Command Line
Continued From Page 1
LDAP Command Line
For the hardcore types, LDAP can be accessed from the command line using a function called ldapsearch. This handy utility is included in all Unix and Windows LDAP server packages. Part of the original University of Michigan LDAP distributions, it can connect either anonymously or with a bind id. The basic syntax follows the standard Unix flag and switch format:
Ldapsearch flags search_filters returned_attributes
The list below covers some of the more popular flags:
-d value Changes the debug level to the supplied value
-n Simulates the search and tells you what would happen if run
-v Runs the search in verbose mode providing additional information
Binding/Authenticating flags: There are not needed for anonymous searches.
-D value Distinguished name used to bind
-w value Bind id password (This is in clear text, so be careful who sees this!)
-h value Host name of the LDAP search where the search is run
-k Uses Kerberos instead of simple authentication
-p value LDAP TCP port - default is 389.
Search specific switches:
-b value Search base from where the search starts
-s value Search scope (base, one, sub - default)
-l value Maximum time in seconds for search to run
-z value Maximum number of records to return
Output specific switches:
-A Returns the attributes but not the values. Useful to determine if an attribute exists.
-B Shows non-ASCII characters - useful for international directory entries.
-L Returns the output in an LDIF (RFC 2849 format). Useful for exporting records to
another application such as e-mail address book or directory.
-S value Sorts results based on the attribute included as an argument or sorts by the records
distinguished name if no arguments are given. This is not done by default.
Again, to help make this less confusing, here is a sample ldapsearch command string.
ldapsearch -b "o=fakename.com" -h myhost.fakename.com -p 2233 -D "cn=adminacct" -w cantdraw -s sub "(sn=luther)" cn mail
The searchbase is "organization equals fakename.com". The LDAP server is named myhost.fakename.com. The port used is 2233. The bind id is a distinguished name of adminacct. The distinguished name is usually a longer string. A short string denotes that this is likely an admin account. The account password is cantdraw. The search scope is sub. The search filter is surname that exactly equals luther. The returned attributes are common name, and mail.
A few notes to help with your mastery of the LDAP command line interface. There may be differences in command lines options across versions. Because the command line strings can be complex, consider saving your working ldapsearch as a Unix shell script or DOS batch file. The next time you need to use the command, you can easily edit/copy this existing script instead of starting from scratch. Your directory will likely have system imposed maximum time and size limits that you cannot surpass, which will prevent you from exceeding the server capacity by mistake.
The Search Continues
Now that we have covered the LDAP search syntax and its many uses in detail, you should be starting to feel comfortable with the syntax and LDAP's capability to deliver the information that you need. For the last article in the series, we will discuss doing searches using popular LDAP browsers. For now, happy searching!
http://perl-ldap.sourceforge.net/rfc.html - One location (of many) to find LDAP RFCs.
http://www.ietf.org/ids.by.wg/ldapbis - One of the IETF standard groups that are revising the LDAP v3 protocol. Also has an active mailing list you can join.
LDAP Public Directories
http://www.emailman.com/ldap/public.html - List of public directories that you can use for testing queries.
Overview/LDAP Search and Man Pages
www.hawaii.edu/brownbags/ldap/ldap2.pdf - Good presentation on LDAP and LDAP search
http://www.hawaii.edu/ldap/details.html - Good overview of LDAP URL syntax with examples
http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=UofMich+3.3&format=html - University Michigan 3.3 Distribution version
Beth Cohen is president of Luth Computer Specialists Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Hallett German is launching Alessea Consulting -- focusing on network identity, electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He would welcome the opportunity to solve your directory, messaging, and network identity challenges.