Creating an LDAP Search Utility
Now that you know the basics of how to use the Net::LDAP modules to perform searches, let's look at a simple command-line tool—ldapsearch.pl, which Listing 3, page 4, shows—that you can use to query AD. Ldapsearch.pl is loosely based on the widely used LDAP search utility (ldapsearch) available from most commercial LDAP SDKs and LDAP directory servers (not including AD).
The basic code in ldapsearch.pl isn't much different from the code in Listing 2 with the exception of the command-line options and the code that processes them. As the code at callout D in Listing 3 shows, ldapsearch.pl has eight command-line options, seven of which are mandatory. You're already familiar with some of these options: The -b, -s, and -f options are the base DN, scope, and filter parameters, respectively, for the search, whereas the -D and -w options are the user's DN and password, respectively, for authentication purposes. You use the -h option to specify the LDAP server's name. You use the -a option to specify any of the attributes you want to retrieve. You need to specify the attributes as a comma-separated list. The last option, -p, is the only optional parameter. I discuss that parameter shortly.
To perform the command-line processing of the options, I use Perl's GetOpt::Std module, which provides basic functionality for processing options. Because most of the options are mandatory, ldapsearch.pl includes option-validation code, as the code at callout A in Listing 3 shows.
Callout B in Listing 3 highlights the code that performs the connect and bind operations. The one difference between this code and the connect and bind code in Listing 2 is the use of the port (-p) option. On the command line, you can use the -p option to specify an alternative port, such as port 3268 for the Global Catalog (GC). If you don't use the -p option, the script defaults to port 389, which is the standard LDAP port.
The code at callout C in Listing 3 executes the search and prints the matching entries. This code is similar to that in Listing 2, except for the use of the attrs parameter in the search method. Because I'm requiring the -a command-line option, I have to pass the attribute list to the search method. I use the split function to turn the comma-separated list into an array.
Web Figure 1 shows sample output from running ldapsearch.pl. The first three lines contain the invocation used to launch the script from the command line. As the invocation shows, I ran the script against host dc1 (-h option). The script performed a search against the cn=computers,dc=mycorp,dc=com container (-b option) and any subcontainers (-s option) for all computer objects that have a name that starts with app (-f option). The results from the query appear after the invocation. Because I specified to return only the cn attribute for each object (-a option), the results show the DN of the matching object and its cn attribute.
Stay Tuned for Part 2
If you need to create scripts or applications on a non-Windows platform or create cross-platform applications or scripts that use AD, you're better off using the Net::LDAP modules rather than ADSI. In Part 2, I'll show you how to go a step further and use the Net::LDAP modules to add and update information in AD.
End of Article
Prev. page
1
2
[3]
next page -->
