mirror of
https://git.openldap.org/openldap/openldap.git
synced 2024-12-21 03:10:25 +08:00
9189f9e1e5
Add timeout to control array. Add -lldap -llber when building shared library. Clean up pkgIndex.tcl creation and installation (should now support "package require" out of the box).
370 lines
13 KiB
Plaintext
370 lines
13 KiB
Plaintext
'\"
|
|
'\" Copyright (c) 1998 NeoSoft, Inc.
|
|
'\"
|
|
'\" See the file "license.terms" for information on usage and redistribution
|
|
'\" of this file, and for a DISCLAIMER OF ALL WARRANTIES.
|
|
'\"
|
|
.so man.macros
|
|
.TH ldap n "" Ldap "Ldap Tcl Extension"
|
|
.BS
|
|
'\" Note: do not modify the .SH NAME line immediately below!
|
|
.SH NAME
|
|
ldap \- connect to and query an LDAP server
|
|
.SH SYNOPSIS
|
|
\fBldap \fBopen \fR \fIcommand\fR \fIhostlist\fR
|
|
.br
|
|
\fBldap \fBinit \fR \fIcommand\fR \fIhostlist\fR
|
|
.br
|
|
\fBldap \fBexplode ?-nonames|-list?\fR \fIdn\fR
|
|
.br
|
|
\fIcommand \fBsubcommand \fIoptions ...\fR
|
|
.BE
|
|
|
|
.SH OVERVIEW
|
|
.PP
|
|
A new command by the name of \fIcommand\fR will be created to access
|
|
the LDAP database at \fIhostlist\fR. \fIhostlist\fR may contain elements
|
|
of the format \fBhost:port\fR if a port other than the default LDAP port
|
|
of 389 is required. The LDAP library will attempt to connect to each
|
|
host in turn until it succeeds.
|
|
.PP
|
|
The \fBexplode\fR form provides a means (via ldap_explode(3)) to explode a DN
|
|
into its component parts. \fB-nonames\fR strips off the attribute names,
|
|
and -list returns a list suitable for \fBarray set\fR.
|
|
.PP
|
|
Finally, the last form, described in more detail below, refers genericly
|
|
to how the command created by the first two examples is used.
|
|
.SH DESCRIPTION
|
|
|
|
The Lightweight Directory Access Protocol provides TCP/IP access to
|
|
X.500 directory services and/or to a stand-alone LDAP server.
|
|
|
|
This code provides a Tcl interface to the
|
|
Lightweight Directory Access Protocol package using the Netscape
|
|
Software Development Kit. It can also be used with the freely
|
|
redistributable University of
|
|
Michigan (http://www.umich.edu/~rsug/ldap) version by defining the
|
|
UMICH_LDAP macro during compilation.
|
|
|
|
.SH CONNECTING TO AN LDAP SERVER
|
|
|
|
To create an ldap interface entity, we use the "ldap" command.
|
|
|
|
ldap open foo foo.bar.com
|
|
|
|
This opens a connection to a LDAP server on foo.bar.com, and makes
|
|
a new Tcl command, foo, through which we will manipulate the interface
|
|
and make queries to the remote LDAP server.
|
|
|
|
ldap init foo foo.bar.com
|
|
|
|
Same as above, foo is created, but for "init", opening the connection is
|
|
deferred until we actually try to do something.
|
|
|
|
For the purposes of this example, we're going to assume that "foo" is the
|
|
command created by opening a connection using "ldap open".
|
|
|
|
Note: Karl is particularly dissatisfied with the syntax of this option,
|
|
so it is one of the most likely things to change in a subsequent release.
|
|
|
|
.SH BINDING
|
|
|
|
After a connection is made to an LDAP server, an LDAP bind operation must
|
|
be performed before other operations can be attempted over the connection.
|
|
|
|
Both simple authentication and kerberos authentication are available.
|
|
LDAP version 3 supports many new "SSL"-style authentication and encryption
|
|
systems, which are not currently supported by the UMich server, and hence
|
|
by this interface package.
|
|
|
|
Currently simple authentication, and kerberos-based authentication, are
|
|
supported.
|
|
|
|
To use LDAP and still have reasonable security in a networked,
|
|
Internet/Intranet environment, secure shell can be used to setup
|
|
secure, encrypted connections between client machines and the LDAP
|
|
server, and between the LDAP server and any replica or slave servers
|
|
that might be used.
|
|
|
|
To perform the LDAP "bind" operation:
|
|
|
|
foo bind simple dn password
|
|
|
|
foo bind kerberos_ldap
|
|
foo bind kerberos_dsa
|
|
foo bind kerberos_both
|
|
|
|
It either returns nothing (success), or a Tcl error with appropriate error
|
|
text.
|
|
|
|
For example,
|
|
|
|
foo bind simple "cn=Manager,o=NeoSoft Inc,c=us" "secret"
|
|
|
|
If you attempt to bind with one of the kerberos authentication types
|
|
described above and your LDAP library was not built with KERBEROS
|
|
defined, you will get an unknown auth type error.
|
|
|
|
To unbind an LDAP connection previously bound with "bind":
|
|
|
|
foo unbind
|
|
|
|
Note that unbinding also deletes the command (\fBfoo\fR in this case).
|
|
Deleting the command has the same affect.
|
|
|
|
The ability of the library to callback to the client, enabling re-binding
|
|
while following referrals, is not currently supported.
|
|
|
|
.SH DELETING OBJECTS
|
|
|
|
To delete an object in the LDAP database, use
|
|
|
|
foo delete dn
|
|
|
|
To rename an object to another relative distinguished name, use
|
|
|
|
foo rename_rdn dn rdn
|
|
|
|
To rename an object to another relative distinguished name, leaving
|
|
the old entry as some kind of attribute (FIX: not sure if this is
|
|
right or how it works)
|
|
|
|
foo modify_rdn dn rdn
|
|
|
|
|
|
.SH ADDING NEW OBJECTS
|
|
|
|
foo add dn attributePairList
|
|
|
|
This creates a new distinguished name and defines zero or more attributes.
|
|
|
|
"attributePairList" is a list of key-value pairs, the same as would
|
|
be returned by "array get" if an array had been set up containing the
|
|
key-value pairs. Note that, right now, the sort of lowest-level pair
|
|
of the DN must also appear in the attributePairList, as in:
|
|
|
|
foo add "cn=karl, ou=People, o=NeoSoft Inc, c=US" {cn karl ...}
|
|
|
|
Here is a more precise description of how an attributePairList looks:
|
|
|
|
{cn {karl {Karl Lehenbauer}} telephone 713-968-5800}
|
|
|
|
Note here that two cn values, "karl" and "Karl Lehenbauer", are added.
|
|
A command error is to write
|
|
|
|
{cn {Karl Lehenbauer}}
|
|
|
|
Which adds two cn values, "Karl" and "Lehenbauer", when the intention
|
|
was to give a single cn value of "Karl Lehenbauer". In real life, one
|
|
finds oneself making prodigous use of the \fBlist\fR command rather than
|
|
typing hard-coded lists.
|
|
|
|
We have noticed that the Netscape server will automatically add the
|
|
left-most rdn portion of the DN (ie. cn=karl), whereas the University
|
|
of Michigan version does not.
|
|
|
|
.SH ADDING, DELETING, AND REPLACING OBJECT ATTRIBUTES
|
|
|
|
You can have multiple occurrences of the same attribute in a record.
|
|
These are represented in search results, through the Tcl interface,
|
|
as a list.
|
|
|
|
foo add_attributes dn attributePairList
|
|
|
|
This adds key-value pairs to an existing DN. If an attribute being
|
|
added already exists, the new value will be appended to the list.
|
|
|
|
foo replace_attributes dn attributePairList
|
|
|
|
This replaces specified key-value pairs in an existing DN, leaving
|
|
unnamed ones untouched.
|
|
|
|
foo delete_attributes dn attributePairList
|
|
|
|
This deletes attributes in the list. If a pair is "foo {bar snap}" and
|
|
you delete "foo bar", "foo" will still have "snap".
|
|
|
|
If you provide an empty string ("") for the value part of the key-value
|
|
pair, the entire attribute will be deleted. To reiterate, if you provide
|
|
a non-empty string for the value part, only that value will be removed
|
|
from the value list.
|
|
|
|
.SH SEARCHING
|
|
|
|
The Tcl interface to searching takes a control array, which contains
|
|
a couple of mandatory key-value pairs, and can contain a number of
|
|
optional key-value pairs as well, for controlling the search, a
|
|
destination array, into which the specified attributes (or all attributes
|
|
of matching DNs if none are specified) and values are stored.
|
|
|
|
The "code" part is executed repeatedly, once for each DN matching the
|
|
search criteria.
|
|
|
|
foo search controlArray destArray code
|
|
|
|
Using data in the control array, a search is performed of the
|
|
LDAP server opened when foo was created. Possible elements
|
|
of the control array are enumerated blow.
|
|
|
|
controlArray(base) is the DN being searched from. (required)
|
|
|
|
controlArray(filter) contains the search criteria. (required)
|
|
|
|
controlArray(scope) must be "base", "one_level", or "subtree".
|
|
If not specified, scope defaults to "subtree".
|
|
|
|
controlArray(deref) must be "never", "search", "find", or "always"
|
|
If not specified, deref defaults to "never"
|
|
|
|
controlArray(attributes) is a list of attributes to be fetched.
|
|
If not specified, all attributes are fetched.
|
|
|
|
controlArray(timeout) a timeout value in seconds (may contain
|
|
fractional values -- extremely very small values are useful
|
|
for forcing timeout conditions to test timeouts).
|
|
|
|
For each matching record, destArray is populated with none,
|
|
some or all attribute-value pairs.
|
|
|
|
Note: There are some additional parameters that can be set, such as
|
|
how long the synchronous version of the routines should wait before
|
|
timing out, the interfaces for which are not available in the current
|
|
version.
|
|
|
|
.SH CACHING (Note: Netscape clients do not have caching interfaces).
|
|
|
|
The UMich LDAP library offers the client application fairly fine-
|
|
grained control of caching of results retrieved from searches,
|
|
offering significant performance improvement and reduced
|
|
network traffic.
|
|
|
|
By default, the cache is disabled.
|
|
|
|
To enable caching of data received from an LDAP connection,
|
|
|
|
foo cache enable timeout maxmem
|
|
|
|
...where timeout is specified in seconds, and maxmem is the
|
|
maximum memory to be used for caching, in bytes.
|
|
|
|
If maxmem is 0, the cache size is restricted only by the timeout.
|
|
|
|
foo cache disable
|
|
|
|
...temporarily inhibits use of the cache (while disabled, new requests
|
|
are not cached and the cache is not checked when returning results).
|
|
|
|
Disabling the cache does not delete its contents.
|
|
|
|
foo cache destroy
|
|
|
|
...turns off caching and completely removes the cache from memory.
|
|
|
|
foo cache flush
|
|
|
|
...deletes the entire cache contents, but does not affect
|
|
whether or not the cache is being used.
|
|
|
|
foo cache uncache dn
|
|
|
|
...removes from the cache all request results that make reference
|
|
to the specified DN.
|
|
|
|
This should be used, for example, after doing an add_attributes,
|
|
delete_attributes, or replace_attributes (ldap_modify(3))
|
|
involving the requested DN.
|
|
|
|
foo cache no_errors
|
|
|
|
...suppresses caching of any requests that result in an error.
|
|
|
|
foo cache size_errors
|
|
|
|
...suppresses caching of any requests that result in an error,
|
|
except for requests resulting in "sizelimit exceeded", which
|
|
are cached. This is the default.
|
|
|
|
foo cache all_errors
|
|
|
|
...enables caching of all requests, including those that result
|
|
in errors.
|
|
|
|
.SH IMPLEMENTATION DECISIONS
|
|
|
|
Because we used the new "Tcl object" C interfaces, this package only works
|
|
with Tcl 8.0 or above.
|
|
|
|
This package interfaces with the University of Michigan LDAP protocol
|
|
package, version 3.3, an implementation of version 2 of the LDAP protocol.
|
|
|
|
Although an LDAP client (or server) could be written in native Tcl 8.0,
|
|
as Tcl 8.0 and above can do binary I/O, and Tcl 8 and above have strings
|
|
that are fully eight-bit clean, for a first implementation, to minimize
|
|
compatibility problems, we created a C interface to the UMich LDAP library.
|
|
|
|
A native Tcl implementation would be cool because we could bring the receiving
|
|
of messages into the normal Tcl event loop and run the LDAP interface fully
|
|
asynchronous.
|
|
|
|
This implementation is blocking, and blocking only. That is to say that
|
|
the Tcl event loop is frozen while the ldap routines are waiting on data.
|
|
|
|
This could be fixed either by recoding all of the I/O in the LDAP library
|
|
to use Tcl's I/O system instead, or by simply coding the LDAP interface in
|
|
native Tcl, as mentioned above.
|
|
|
|
Another advantage of coding in high-level Tcl, of course, is that the
|
|
client would immediately be cross-platform to Windows and the Mac, as
|
|
well as Unix.
|
|
|
|
Binary data is not currently supported. It will probably be trivial to
|
|
add, we just haven't dug into it yet.
|
|
|
|
|
|
.SH FOR MORE INFORMATION
|
|
|
|
This document principally describes how to use our Tcl interface to the
|
|
LDAP library works.
|
|
|
|
For more information on LDAP and the University of Michigan LDAP package,
|
|
please visit the website mentioned above. The package includes substantial
|
|
documentation in the form of UNIX manual pages, a SLAPD/SLURPD guide
|
|
in Adobe Portable Document Format (pdf), and a number of Internet RFCs
|
|
related to LDAP services.
|
|
|
|
.SH AUTHORS
|
|
It was written by Karl Lehenbauer, of NeoSoft, Inc., in August and
|
|
September of 1997. Ldap explode, and numerous bug fixes by Randy
|
|
Kunkee, also of NeoSoft, Inc., in 1998.
|
|
|
|
.SH KEYWORDS
|
|
element, join, list, separator
|
|
.SH BUGS
|
|
The \fBldap init\fR syntax fails to return anything useful. Use
|
|
\fBldap open\fR instead.
|
|
|
|
\fBPackage require Ldaptcl\fR won't work unless the ldap and lber libraries
|
|
are also shared, and ldaptcl.so is itself created with the correct flags
|
|
(eg. -R for Solaris). In short there's a lot of details to make this part
|
|
work, but it should work out of the box for Solaris. Other systems may
|
|
require that LD_LIBRARY_PATH or other appropraite environment variables
|
|
be set at build and/or runtime.
|
|
|
|
An asynchronous interface should be provided with callbacks.
|
|
|
|
We have never tested Kerberos authentication.
|
|
|
|
It does not tolerate some illegal operations very well.
|
|
|
|
It is possible to create empty attributes, ie. attributes which are present
|
|
but have no value. This is done by deleting the attribute values rather
|
|
than, eg. "foo delete_attributes dn {telephone {}}" which would delete
|
|
the telephone attribute altogether. A search for presence of the attribute
|
|
may return an object, and yet it may have no value. This interface presents
|
|
such an object as not having the attribute at all (ie. you cannot tell).
|
|
The Netscape SDK does this for you, so this makes the behavior consistent
|
|
when using UMICH_LDAP.
|
|
|
|
\--enable-netscape configuration support has not been tested and probably
|
|
has bugs.
|