LDAP
Endpoint Privilege Management for Unix and Linux LDAP support is based on the LDAP version 2 API, as defined in RFC 1823. Specific parts of the LDAP API are mapped to a series of Endpoint Privilege Management for Unix and Linux functions.
Run an LDAP search
The general process for performing an LDAP search is outlined below.
- Use the ldap_open() function to establish an LDAP server connection.
- Bind the LDAP server connection to the user by using the ldap_bind() function.
- Use the function ldap_search() to search an LDAP directory.
- Use the ldap_entry_count() function to determine the number of entries that were found by the query.
- Loop through the entries that were found by the query by using the ldap_firstentry() and ldap_ nextentry() functions.
- Use the function ldap_attributes() to obtain a list of attributes that are available for an entry.
- Use the ldap_getvalues() function to retrieve the actual attribute values that are associated with an entry.
- Process the next entry. Repeat steps 5 through 7 until all entries are processed.
- Use the function ldap_unbind() to unbind and close the LDAP Server connection.
Note
For more information on using LDAP, refer to your LDAP documentation.
ldap_attributes
Description
The ldap_attributes() function returns a list that contains all of the attributes that are associated with the specified LDAP entry. Each element in result contains an attribute name.
Syntax
result = ldap_attributes (LDAPEntry);
Arguments
| LDAPEntry | Required. A unique LDAP entry that is generated by ldap_firstentry(), ldap_nextentry(), or ldap_search(). |
Return values
A list in which each element contains an attribute name. On error, it returns an empty list.
Example
result = ldap_attributes (LDAPEntry);
In this example, result might look like the following:
{"firstname", "lastname", "department", "jobcode"}
Note
For more information, see ldap-firstentry, ldap-nextentry, and ldap-search.
ldap_bind
Description
The ldap_bind() function binds an existing LDAP server connection using the specified DN and password If the DN is not specified, an anonymous bind is attempted.
Syntax
result = ldap_bind (ConnectionId, dn [,Password]);
Arguments
| ConnectionId | Required. LDAP server connection that is generated by the ldap_open() function. |
| dn | Required. User’s DN. May be an empty string. |
| Password | Optional. String that contains the password for dn. |
Return values
| 0 | Bind operation successful. |
| 1 | Bind operation failed. |
Example
In this example, an anonymous bind is performed using the LDAP server connection that is specified in ldapConnection.
result = ldap_bind (ldapConnection, "");
Note
For more information, see ldap_open and ldap-unbind.
ldap_dn2ufn
Description
The ldap_dn2ufn() function converts the supplied DN into a more user-friendly form by stripping off the type names. The resulting character string is returned in result.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_dn2ufn (dn);
Arguments
| dn | Required. A string that contains a DN (Distinguished Name). |
Return values
| string | A character string that contains a DN name with type names removed. |
| Empty string | Error. |
Example
In this example, result contains the specified DN name without type names.
result = ldap_dn2ufn (dn);
Note
For more information, see ldap_explodedn.
ldap_entry_count
Description
The ldap_entry_count() function returns the number of entries that exist in a specific LDAP message. The ldap_search() function generates LDAPEntry.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_entry_count (LDAPEntry);
Arguments
| LDAPEntry | Required. LDAP message that is generated by ldap_search(). |
Return values
| integer | The number of entries that are contained in the specified LDAP message. |
| 0 | If zero entries or on error. |
Example
In this example, result contains the number of entries in the LDAP message that is identified by LDAPEntry.
result = ldap_entry_count (LDAPEntry);
ldap_explodedn
Description
The ldap_explodedn() function splits the supplied DN into its separate subcomponents. Each subcomponent is called a relative distinguished name (RDN).
The notypes argument specifies whether the RDNs are returned with only values or both values and attributes. Setting notypes to false returns both values and attributes. Setting notypes to true returns only values.
The RDNs are returned in a list. If only values were requested, then each list element contains one value. If both values and attributes have been requested, each result list element has the format "attribute=value".
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_explodedn (dn, notypes);
Arguments
| dn | Required. A string that contains a Distinguished Name (DN). |
| notypes | Required. An integer that represents a true or false value. |
Return values
result is a list containing the DN subcomponents (that is, the RDNs). If only values are requested, then the list has the following format:
{"value", "value", …}
If both values and attributes are requested, then the list has the following format:
{"attribute=value", "attribute=value", …}.
Example
In this example, result is a list containing DN subcomponents. Both values and attributes are returned in this case.
result = ldap_explodedn (dn, false);
ldap_firstentry
Description
The ldap_firstentry() function returns the first entry in the specified LDAP message that is returned from ldap_search().
The first entry message is needed to retrieve successive entries from the specified LDAP message by using the ldap_nextentry() function.
The ldap_firstentry() function does not retrieve values. It returns a unique entry. The result can be used in a function such as ldap_getvalues() to actually retrieve attribute values.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_firstentry (LDAPEntry);
Arguments
| LDAPEntry | Required. LDAP message. ldap_search() generates LDAP messages. |
Return values
| LDAPEntry | An LDAP entry. |
| Empty String | Error. |
Example
result = ldap_firstentry (LDM);
ldap_getdn
Description
The ldap_getdn() function returns the DN for the specified LDAP entry.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_getdn (LDAPEntry);
Arguments
| LDAPEntry | Required. An LDAP entry. ldap_firstentry(), ldap_nextentry(), and ldap_search() generate LDAP entries. |
Return values
| string | A DN. |
| Empty string | Error condition. |
Example
result = ldap_getdn (LDAPEntry);
ldap_getvalues
Description
The ldap_getvalues() function returns the values that are associated with the specified attribute. The values are returned in a list where each list element represents a value.
The length() function can be used to determine the number of elements that are returned in result. If ldap_getvalues() is successful, result has the format {"value", "value", …}.
The ldap_getvalues() function is typically used after a call to ldap_search(), ldap_firstentry(), or ldap_nextentry() to retrieve attribute values for the entry that is currently being processed.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_getvalues (LDAPEntry, attributeName);
Arguments
| LDAPEntry | Required. An LDAP entry that is created by ldap_firstentry(), ldap_nextentry(), or ldap_search(). |
| attributeName | Required. String that identifies the attribute for which a value should be returned. |
Return values
| list | If successful, then a list of character strings is returned. Each element in the list contains a value. |
| empty list | Error condition, list length is set to zero. |
Example
result = ldap_getvalues (LDAPEntry, "uid");
ldap_init
- Version 4.0 and later: ldap_init() function deprecated.
Description
Initializes a connection to an LDAP database. This function supersedes ldap_open() and ldap_init().
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
ldap_initialize (ldap_url [, 2 | 3])
Arguments
| ldap_url | Required, string. An LDAP URL pointing to the desired LDAP database. |
| version | Optional, number. The LDAP database version. Either a 2 or 3. If the version is not included, then a version 2 connection is created. |
Return values
On success, an LDAP connection is returned. On failure, null is returned.
Example
connection = ldap_initialize("ldap://ldaphost");
ldap_nextentry
Description
The ldap_nextentry() function returns the next LDAP entry in the specified LDAP message.
The ldap_nextentry() function does not retrieve values. It returns a unique entry. The result can be used in a function like ldap_getvalues() to actually retrieve attribute values.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_nextentry (LDAPEntry);
Arguments
| LDAPEntry | Required. An LDAP entry that is returned by the previous ldap_firstentry() or ldap_nextentry(). |
Return values
| LDAP_Entry | An LDAP entry. |
| empty string | Error condition. |
Example
result = ldap_nextentry (LDAPEntry);
ldap_open
Description
The ldap_open() function establishes a connection to the LDAP server that is specified in ServerName. The connection is made through the port number in port (if specified).
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_open (ServerName [,port]);
Arguments
| ServerName | Required. Character string that contains the host name of an LDAP server. |
| port | Optional. Integer that contains a port number. The default port number is 389. |
Return values
| LDAP_Connection | If the open operation is successful, an LDAP server connection is returned in result. |
Example
In this example, if the open operation is successful, result contains an LDAP server connection ID for mycompany.ldap.server1 on port 200. If the connection is not successful, result contains a null string.
result = ldap_open ("mycompany.ldap.server1", 200);
ldap_search
Description
The ldap_search() function searches the LDAP directory below the baseDN, using the search criteria that are specified in the search filter. The scope argument defines the scope, or boundaries, of the search.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_search (ConnectionId, baseDN, scope, searchfilter, attributeList, attributeFlag);
Arguments
| ConnectionId | Required. LDAP Server Connection. |
| baseDN | Required. String that contains the base DN for the search. |
| scope | Required. String that contains a search scope value. Value entries are subtree (search the baseDN and the entire directory below), onelevel (search the baseDN and one level below), and base (search the baseDN only). |
| searchfilter | Required. String that contains search criteria. |
| attributeList | Required. List that identifies the attributes that should be returned. Each list element must be an attribute name. An empty list defaults to all attributes. |
| attributeFlag | Required. Integer that represents either true or false. If set to true, only attribute types are returned. If set to false, both attribute types and values are returned. |
Return values
| LDAP message | The search operation was successful. |
| empty string | Unsuccessful search. |
Example
result = ldap_search (ConnectionId, "dc=beyondtrust, "dc=com", subtree", "jobcode=mgr", {}, 0);
ldap_unbind
Description
The ldap_unbind() function unbinds and closes an existing LDAP server connection.
Note
Not supported in Endpoint Privilege Management for Linux (EPM-L).
Syntax
result = ldap_unbind (LDAP_Connection);
Arguments
| LDAP_Connection | Required. An LDAP Server Connection that was created by ldap_open(). |
Return values
| 0 | Unbind operation successful. |
| -1 | Unbind operation failed. |
Example
In this example, an unbind and close are performed on the LDAP server connection ID specified in ldapConnection.
result = ldap_unbind (ldapConnection);
Updated 5 days ago