.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28) .\" .\" Standard preamble: .\" ======================================================================== .de Sp \" Vertical space (when we can't use .PP) .if t .sp .5v .if n .sp .. .de Vb \" Begin verbatim text .ft CW .nf .ne \\$1 .. .de Ve \" End verbatim text .ft R .fi .. .\" Set up some character translations and predefined strings. \*(-- will .\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left .\" double quote, and \*(R" will give a right double quote. \*(C+ will .\" give a nicer C++. Capital omega is used to do unbreakable dashes and .\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff, .\" nothing in troff, for use with C<>. .tr \(*W- .ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' .ie n \{\ . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} .el\{\ . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' . ds C` . ds C' 'br\} .\" .\" Escape single quotes in literal strings from groff's Unicode transform. .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" .\" If the F register is turned on, we'll generate index entries on stderr for .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index .\" entries marked with X<> in POD. Of course, you'll have to process the .\" output yourself in some meaningful fashion. .\" .\" Avoid warning from groff about undefined register 'F'. .de IX .. .nr rF 0 .if \n(.g .if rF .nr rF 1 .if (\n(rF:(\n(.g==0)) \{ . if \nF \{ . de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . if !\nF==2 \{ . nr % 0 . nr F 2 . \} . \} .\} .rr rF .\" .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2). .\" Fear. Run. Save yourself. No user-serviceable parts. . \" fudge factors for nroff and troff .if n \{\ . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] \fP .\} .if t \{\ . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff .if n \{\ . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} .if t \{\ . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents .ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' .ds 8 \h'\*(#H'\(*b\h'-\*(#H' .ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] .ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' .ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' .ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] .ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] .ds ae a\h'-(\w'a'u*4/10)'e .ds Ae A\h'-(\w'A'u*4/10)'E . \" corrections for vroff .if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' .if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' . \" for low resolution devices (crt and lpr) .if \n(.H>23 .if \n(.V>19 \ \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} .rm #[ #] #H #V #F C .\" ======================================================================== .\" .IX Title "Net::LDAP 3pm" .TH Net::LDAP 3pm "2015-04-06" "perl v5.20.2" "User Contributed Perl Documentation" .\" For nroff, turn off justification. Always turn off hyphenation; it makes .\" way too many mistakes in technical documents. .if n .ad l .nh .SH "NAME" Net::LDAP \- Lightweight Directory Access Protocol .SH "SYNOPSIS" .IX Header "SYNOPSIS" .Vb 1 \& use Net::LDAP; \& \& $ldap = Net::LDAP\->new( \*(Aqldap.bigfoot.com\*(Aq ) or die "$@"; \& \& $mesg = $ldap\->bind ; # an anonymous bind \& \& $mesg = $ldap\->search( # perform a search \& base => "c=US", \& filter => "(&(sn=Barr)(o=Texas Instruments))" \& ); \& \& $mesg\->code && die $mesg\->error; \& \& foreach $entry ($mesg\->entries) { $entry\->dump; } \& \& $mesg = $ldap\->unbind; # take down session \& \& \& $ldap = Net::LDAP\->new( \*(Aqldap.umich.edu\*(Aq ); \& \& # bind to a directory with dn and password \& $mesg = $ldap\->bind( \*(Aqcn=root, o=University of Michigan, c=us\*(Aq, \& password => \*(Aqsecret\*(Aq \& ); \& \& $result = $ldap\->add( \*(Aqcn=Barbara Jensen, o=University of Michigan, c=US\*(Aq, \& attrs => [ \& \*(Aqcn\*(Aq => [\*(AqBarbara Jensen\*(Aq, \*(AqBarbs Jensen\*(Aq], \& \*(Aqsn\*(Aq => \*(AqJensen\*(Aq, \& \*(Aqmail\*(Aq => \*(Aqb.jensen@umich.edu\*(Aq, \& \*(Aqobjectclass\*(Aq => [\*(Aqtop\*(Aq, \*(Aqperson\*(Aq, \& \*(AqorganizationalPerson\*(Aq, \& \*(AqinetOrgPerson\*(Aq ], \& ] \& ); \& \& $result\->code && warn "failed to add entry: ", $result\->error ; \& $mesg = $ldap\->unbind; # take down session .Ve .SH "DESCRIPTION" .IX Header "DESCRIPTION" \&\fBNet::LDAP\fR is a collection of modules that implements a \s-1LDAP\s0 services \s-1API\s0 for Perl programs. The module may be used to search directories or perform maintenance functions such as adding, deleting or modifying entries. .PP This document assumes that the reader has some knowledge of the \s-1LDAP\s0 protocol. .SH "CONSTRUCTOR" .IX Header "CONSTRUCTOR" .IP "new ( \s-1HOST, OPTIONS \s0)" 4 .IX Item "new ( HOST, OPTIONS )" Creates a new \fBNet::LDAP\fR object and opens a connection to the named host. .Sp \&\f(CW\*(C`HOST\*(C'\fR may be a host name or an \s-1IP\s0 address. \s-1TCP\s0 port may be specified after the host name followed by a colon (such as localhost:10389). The default \s-1TCP\s0 port for \s-1LDAP\s0 is 389. .Sp You can also specify a \s-1URI,\s0 such as 'ldaps://127.0.0.1:666' or \&'ldapi://%2fvar%2flib%2fldap_sock'. Note that '%2f's in the \s-1LDAPI\s0 socket path will be translated into '/'. This is to support \s-1LDAP\s0 query options like base, search etc. although the query part of the \s-1URI\s0 will be ignored in this context. If port was not specified in the \s-1URI,\s0 the default is either 389 or 636 for '\s-1LDAP\s0' and '\s-1LDAPS\s0' schemes respectively. .Sp \&\f(CW\*(C`HOST\*(C'\fR may also be a reference to an array of hosts, host-port pairs or URIs to try. Each will be tried in order until a connection is made. Only when all have failed will the result of \f(CW\*(C`undef\*(C'\fR be returned. .RS 4 .IP "port => N" 4 .IX Item "port => N" Port to connect to on the remote server. May be overridden by \f(CW\*(C`HOST\*(C'\fR. .IP "scheme => 'ldap' | 'ldaps' | 'ldapi'" 4 .IX Item "scheme => 'ldap' | 'ldaps' | 'ldapi'" Connection scheme to use when not using an \s-1URI\s0 as \f(CW\*(C`HOST\*(C'\fR. (Default: ldap) .IP "keepalive => 1" 4 .IX Item "keepalive => 1" If given, set the socket's \s-1SO_KEEPALIVE\s0 option depending on the Boolean value of the option. (Default: use system default) .Sp Failures in changing the socket's \s-1SO_KEEPALIVE\s0 option are ignored. .IP "timeout => N" 4 .IX Item "timeout => N" Timeout passed to IO::Socket when connecting the remote server. (Default: 120) .IP "multihomed => N" 4 .IX Item "multihomed => N" Will be passed to IO::Socket as the \f(CW\*(C`MultiHomed\*(C'\fR parameter when connecting to the remote server .IP "localaddr => \s-1HOST\s0" 4 .IX Item "localaddr => HOST" Will be passed to IO::Socket as the \f(CW\*(C`LocalAddr\*(C'\fR parameter, which sets the client's \s-1IP\s0 address (as opposed to the server's \s-1IP\s0 address.) .IP "debug => N" 4 .IX Item "debug => N" Set the debug level. See the debug method for details. .IP "async => 1" 4 .IX Item "async => 1" Perform all operations asynchronously. .IP "onerror => 'die' | 'warn' | undef | sub { ... }" 4 .IX Item "onerror => 'die' | 'warn' | undef | sub { ... }" In synchronous mode, change what happens when an error is detected. .RS 4 .IP "'die'" 4 .IX Item "'die'" Net::LDAP will croak whenever an error is detected. .IP "'warn'" 4 .IX Item "'warn'" Net::LDAP will warn whenever an error is detected. .IP "undef" 4 .IX Item "undef" Net::LDAP will warn whenever an error is detected and \f(CW\*(C`\-w\*(C'\fR is in effect. The method that was called will return \f(CW\*(C`undef\*(C'\fR. .IP "sub { ... }" 4 .IX Item "sub { ... }" The given sub will be called in a scalar context with a single argument, the result message. The value returned will be the return value for the method that was called. .RE .RS 4 .RE .IP "version => N" 4 .IX Item "version => N" Set the protocol version being used (default is LDAPv3). This is useful if you want to talk to an old server and therefore have to use LDAPv2. .IP "raw => \s-1REGEX\s0" 4 .IX Item "raw => REGEX" Use \s-1REGEX\s0 to denote the names of attributes that are to be considered binary in search results. .Sp When this option is given, Net::LDAP converts all values of attributes not matching this \s-1REGEX\s0 into Perl \s-1UTF\-8\s0 strings so that the regular Perl operators (pattern matching, ...) can operate as one expects even on strings with international characters. .Sp If this option is not given, attribute values are treated as byte strings. .Sp Example: raw => qr/(?i:^jpegPhoto|;binary)/ .IP "inet4 => N" 4 .IX Item "inet4 => N" .PD 0 .IP "inet6 => N" 4 .IX Item "inet6 => N" .PD Try to connect to the server using the specified \s-1IP\s0 protocol only, i.e. either IPv4 or IPv6. If the protocol selected is not supported, connecting will fail. .Sp The default is to use any of the two protocols. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $ldap = Net::LDAP\->new( \*(Aqremote.host\*(Aq, async => 1 ); .Ve .Sp \&\s-1LDAPS\s0 connections have some extra valid options, see the start_tls method for details. Note the default port for \s-1LDAPS\s0 is 636, and the default value for 'sslversion' is the value used as default by IO::Socket::SSL. .Sp For \s-1LDAPI\s0 connections, \s-1HOST\s0 is actually the location of a \s-1UNIX\s0 domain socket to connect to. The default location is '/var/run/ldapi'. .RE .SH "METHODS" .IX Header "METHODS" Each of the following methods take as arguments some number of fixed parameters followed by options, these options are passed in a named fashion, for example .PP .Vb 1 \& $mesg = $ldap\->bind( "cn=me,o=example", password => "mypasswd"); .Ve .PP The return value from these methods is an object derived from the Net::LDAP::Message class. The methods of this class allow you to examine the status of the request. .IP "abandon ( \s-1ID, OPTIONS \s0)" 4 .IX Item "abandon ( ID, OPTIONS )" Abandon a previously issued request. \f(CW\*(C`ID\*(C'\fR may be a number or an object which is a sub-class of Net::LDAP::Message, returned from a previous method call. .RS 4 .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $res = $ldap\->search( @search_args ); \& \& $mesg = $ldap\->abandon( $res ); # This could be written as $res\->abandon .Ve .RE .IP "add ( \s-1DN, OPTIONS \s0)" 4 .IX Item "add ( DN, OPTIONS )" Add a new entry to the directory. \f(CW\*(C`DN\*(C'\fR can be either a Net::LDAP::Entry object or a string. .RS 4 .IP "attrs => [ \s-1ATTR\s0 => \s-1VALUE, ... \s0]" 4 .IX Item "attrs => [ ATTR => VALUE, ... ]" \&\f(CW\*(C`VALUE\*(C'\fR should be a string if only a single value is wanted, or a reference to an array of strings if multiple values are wanted. .Sp This argument is not used if \f(CW\*(C`DN\*(C'\fR is a Net::LDAP::Entry object. .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 2 \& # $entry is an object of class Net::LDAP::Entry \& $mesg = $ldap\->add( $entry ); \& \& $mesg = $ldap\->add( $dn, \& attrs => [ \& name => \*(AqGraham Barr\*(Aq, \& attr => \*(Aqvalue1\*(Aq, \& attr => \*(Aqvalue2\*(Aq, \& multi => [qw(value1 value2)] \& ] \& ); .Ve .RE .IP "bind ( \s-1DN, OPTIONS \s0)" 4 .IX Item "bind ( DN, OPTIONS )" Bind (log in) to the server. \f(CW\*(C`DN\*(C'\fR is the \s-1DN\s0 to bind with. An anonymous bind may be done by calling bind without any arguments. .RS 4 .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below .IP "noauth | anonymous => 1" 4 .IX Item "noauth | anonymous => 1" Bind without any password. The value passed with this option is ignored. .IP "password => \s-1PASSWORD\s0" 4 .IX Item "password => PASSWORD" Bind with the given password. .IP "sasl => \s-1SASLOBJ\s0" 4 .IX Item "sasl => SASLOBJ" Bind using a \s-1SASL\s0 mechanism. The argument given should be a sub-class of Authen::SASL or an Authen::SASL client connection by calling \&\f(CW\*(C`client_new\*(C'\fR on an Authen::SASL object. .Sp If passed an Authen::SASL object then \f(CW\*(C`client_new\*(C'\fR will be called to create a client connection object. The hostname passed by \f(CW\*(C`Net::LDAP\*(C'\fR to \f(CW\*(C`client_new\*(C'\fR can be set using the \f(CW\*(C`sasl_host\*(C'\fR option below. If this is not correct for your environment, consider calling \f(CW\*(C`client_new\*(C'\fR yourself and passing the client connection object as \f(CW\*(C`SASLOBJ\*(C'\fR. .IP "sasl_host => \s-1SASLHOST\s0" 4 .IX Item "sasl_host => SASLHOST" When binding using \s-1SASL,\s0 allow the hostname used in the \s-1SASL\s0 communication to differ from the hostname connected to. .Sp If \f(CW\*(C`SASLHOST\*(C'\fR evaluates to \s-1TRUE,\s0 then it is used as the \s-1SASL\s0 hostname. .Sp If it evaluates to \s-1FALSE,\s0 then the value is determined by calling \f(CW\*(C`peerhost\*(C'\fR on the socket. In older versions of Net::LDAP this was the standard behaviour, but it turned out to cause more trouble than it fixed. .Sp When the option is not given, the \s-1SASL\s0 host name used defaults to the host name / \s-1IP\s0 address taken from the \f(CW\*(C`HOST\*(C'\fR parameter when connecting. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $mesg = $ldap\->bind; # Anonymous bind \& \& $mesg = $ldap\->bind( $dn, password => $password ); \& \& # $sasl is an object of class Authen::SASL \& $mesg = $ldap\->bind( $dn, sasl => $sasl, version => 3 ); .Ve .RE .IP "compare ( \s-1DN, OPTIONS \s0)" 4 .IX Item "compare ( DN, OPTIONS )" Compare values in an attribute in the entry given by \f(CW\*(C`DN\*(C'\fR on the server. \f(CW\*(C`DN\*(C'\fR may be a string or a Net::LDAP::Entry object. .RS 4 .IP "attr => \s-1ATTR\s0" 4 .IX Item "attr => ATTR" The name of the attribute to compare. .IP "value => \s-1VALUE\s0" 4 .IX Item "value => VALUE" The value to compare with. .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below. .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 4 \& $mesg = $ldap\->compare( $dn, \& attr => \*(Aqcn\*(Aq, \& value => \*(AqGraham Barr\*(Aq \& ); .Ve .RE .IP "delete ( \s-1DN, OPTIONS \s0)" 4 .IX Item "delete ( DN, OPTIONS )" Delete the entry given by \f(CW\*(C`DN\*(C'\fR from the server. \f(CW\*(C`DN\*(C'\fR may be a string or a Net::LDAP::Entry object. .RS 4 .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below. .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $mesg = $ldap\->delete( $dn ); .Ve .RE .IP "moddn ( \s-1DN, OPTIONS \s0)" 4 .IX Item "moddn ( DN, OPTIONS )" Rename the entry given by \f(CW\*(C`DN\*(C'\fR on the server. \f(CW\*(C`DN\*(C'\fR may be a string or a Net::LDAP::Entry object. .RS 4 .IP "newrdn => \s-1RDN\s0" 4 .IX Item "newrdn => RDN" This value should be a new \s-1RDN\s0 to assign to \f(CW\*(C`DN\*(C'\fR. .IP "deleteoldrdn => 1" 4 .IX Item "deleteoldrdn => 1" This option should be passed if the existing \s-1RDN\s0 is to be deleted. .IP "newsuperior => \s-1NEWDN\s0" 4 .IX Item "newsuperior => NEWDN" If given this value should be the \s-1DN\s0 of the new superior for \f(CW\*(C`DN\*(C'\fR. .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below. .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $mesg = $ldap\->moddn( $dn, newrdn => \*(Aqcn=Graham Barr\*(Aq ); .Ve .RE .IP "modify ( \s-1DN, OPTIONS \s0)" 4 .IX Item "modify ( DN, OPTIONS )" Modify the contents of the entry given by \f(CW\*(C`DN\*(C'\fR on the server. \f(CW\*(C`DN\*(C'\fR may be a string or a Net::LDAP::Entry object. .RS 4 .IP "add => { \s-1ATTR\s0 => \s-1VALUE, ... \s0}" 4 .IX Item "add => { ATTR => VALUE, ... }" Add more attributes or values to the entry. \f(CW\*(C`VALUE\*(C'\fR should be a string if only a single value is wanted in the attribute, or a reference to an array of strings if multiple values are wanted. .Sp .Vb 9 \& $mesg = $ldap\->modify( $dn, \& add => { \& description => \*(AqList of members\*(Aq, # Add description attribute \& member => [ \& \*(Aqcn=member1,ou=people,dc=example,dc=com\*(Aq, # Add to attribute \& \*(Aqcn=member2,ou=people,dc=example,dc=com\*(Aq, \& ] \& } \& ); .Ve .IP "delete => [ \s-1ATTR, ... \s0]" 4 .IX Item "delete => [ ATTR, ... ]" Delete complete attributes from the entry. .Sp .Vb 3 \& $mesg = $ldap\->modify( $dn, \& delete => [\*(Aqmember\*(Aq,\*(Aqdescription\*(Aq] # Delete attributes \& ); .Ve .IP "delete => { \s-1ATTR\s0 => \s-1VALUE, ... \s0}" 4 .IX Item "delete => { ATTR => VALUE, ... }" Delete individual values from an attribute. \f(CW\*(C`VALUE\*(C'\fR should be a string if only a single value is being deleted from the attribute, or a reference to an array of strings if multiple values are being deleted. .Sp If \f(CW\*(C`VALUE\*(C'\fR is a reference to an empty array or all existing values of the attribute are being deleted, then the attribute will be deleted from the entry. .Sp .Vb 10 \& $mesg = $ldap\->modify( $dn, \& delete => { \& description => \*(AqList of members\*(Aq, \& member => [ \& \*(Aqcn=member1,ou=people,dc=example,dc=com\*(Aq, # Remove members \& \*(Aqcn=member2,ou=people,dc=example,dc=com\*(Aq, \& ], \& seeAlso => [], # Remove attribute \& } \& ); .Ve .IP "replace => { \s-1ATTR\s0 => \s-1VALUE, ... \s0}" 4 .IX Item "replace => { ATTR => VALUE, ... }" Replace any existing values in each given attribute with \&\f(CW\*(C`VALUE\*(C'\fR. \f(CW\*(C`VALUE\*(C'\fR should be a string if only a single value is wanted in the attribute, or a reference to an array of strings if multiple values are wanted. A reference to an empty array will remove the entire attribute. If the attribute does not already exist in the entry, it will be created. .Sp .Vb 10 \& $mesg = $ldap\->modify( $dn, \& replace => { \& description => \*(AqNew List of members\*(Aq, # Change the description \& member => [ # Replace whole list with these \& \*(Aqcn=member1,ou=people,dc=example,dc=com\*(Aq, \& \*(Aqcn=member2,ou=people,dc=example,dc=com\*(Aq, \& ], \& seeAlso => [], # Remove attribute \& } \& ); .Ve .IP "increment => { \s-1ATTR\s0 => \s-1VALUE, ... \s0}" 4 .IX Item "increment => { ATTR => VALUE, ... }" Atomically increment the existing value in each given attribute by the provided \f(CW\*(C`VALUE\*(C'\fR. The attributes need to have integer syntax, or be otherwise \*(L"incrementable\*(R". Note this will only work if the server advertises support for \s-1LDAP_FEATURE_MODIFY_INCREMENT.\s0 Use \&\*(L"supported_feature\*(R" in Net::LDAP::RootDSE to check this. .Sp .Vb 5 \& $mesg = $ldap\->modify( $dn, \& increment => { \& uidNumber => 1 # increment uidNumber by 1 \& } \& ); .Ve .IP "changes => [ \s-1OP\s0 => [ \s-1ATTR\s0 => \s-1VALUE \s0], ... ]" 4 .IX Item "changes => [ OP => [ ATTR => VALUE ], ... ]" This is an alternative to \fBadd\fR, \fBdelete\fR, \fBreplace\fR and \fBincrement\fR where the whole operation can be given in a single argument. \f(CW\*(C`OP\*(C'\fR should be \fBadd\fR, \fBdelete\fR, \fBreplace\fR or \fBincrement\fR. \f(CW\*(C`VALUE\*(C'\fR should be either a string or a reference to an array of strings, as before. .Sp Use this form if you want to control the order in which the operations will be performed. .Sp .Vb 10 \& $mesg = $ldap\->modify( $dn, \& changes => [ \& add => [ \& description => \*(AqA description\*(Aq, \& member => $newMember, \& ], \& delete => [ \& seeAlso => [], \& ], \& add => [ \& anotherAttribute => $value, \& ], \& ] \& ); .Ve .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below. .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 1 \& $mesg = $ldap\->modify( $dn, add => { sn => \*(AqBarr\*(Aq } ); \& \& $mesg = $ldap\->modify( $dn, delete => [qw(faxNumber)] ); \& \& $mesg = $ldap\->modify( $dn, delete => { \*(AqtelephoneNumber\*(Aq => \*(Aq911\*(Aq } ); \& \& $mesg = $ldap\->modify( $dn, replace => { \*(Aqmail\*(Aq => \*(Aqgbarr@pobox.com\*(Aq } ); \& \& $mesg = $ldap\->modify( $dn, \& changes => [ \& # add sn=Barr \& add => [ sn => \*(AqBarr\*(Aq ], \& # delete all fax numbers \& delete => [ faxNumber => []], \& # delete phone number 911 \& delete => [ telephoneNumber => [\*(Aq911\*(Aq]], \& # change email address \& replace => [ mail => \*(Aqgbarr@pobox.com\*(Aq] \& ] \& ); .Ve .RE .IP "search ( \s-1OPTIONS \s0)" 4 .IX Item "search ( OPTIONS )" Search the directory using a given filter. This can be used to read attributes from a single entry, from entries immediately below a particular entry, or a whole subtree of entries. .Sp The result is an object of class Net::LDAP::Search. .RS 4 .IP "base => \s-1DN\s0" 4 .IX Item "base => DN" The \s-1DN\s0 that is the base object entry relative to which the search is to be performed. .IP "scope => 'base' | 'one' | 'sub' | 'subtree' | 'children'" 4 .IX Item "scope => 'base' | 'one' | 'sub' | 'subtree' | 'children'" By default the search is performed on the whole tree below the specified base object. This maybe changed by specifying a \f(CW\*(C`scope\*(C'\fR parameter with one of the following values: .RS 4 .IP "base" 4 .IX Item "base" Search only the base object. .IP "one" 4 .IX Item "one" Search the entries immediately below the base object. .IP "sub" 4 .IX Item "sub" .PD 0 .IP "subtree" 4 .IX Item "subtree" .PD Search the whole tree below (and including) the base object. This is the default. .IP "children" 4 .IX Item "children" Search the whole subtree below the base object, excluding the base object itself. .Sp Note: \fIchildren\fR scope requires LDAPv3 subordinate feature extension. .RE .RS 4 .RE .IP "deref => 'never' | 'search' | 'find' | 'always'" 4 .IX Item "deref => 'never' | 'search' | 'find' | 'always'" By default aliases are dereferenced to locate the base object for the search, but not when searching subordinates of the base object. This may be changed by specifying a \f(CW\*(C`deref\*(C'\fR parameter with one of the following values: .RS 4 .IP "never" 4 .IX Item "never" Do not dereference aliases in searching or in locating the base object of the search. .IP "search" 4 .IX Item "search" Dereference aliases in subordinates of the base object in searching, but not in locating the base object of the search. .IP "find" 4 .IX Item "find" Dereference aliases in locating the base object of the search, but not when searching subordinates of the base object. This is the default. .IP "always" 4 .IX Item "always" Dereference aliases both in searching and in locating the base object of the search. .RE .RS 4 .RE .IP "sizelimit => N" 4 .IX Item "sizelimit => N" A sizelimit that restricts the maximum number of entries to be returned as a result of the search. A value of 0, and the default, means that no restriction is requested. Servers may enforce a maximum number of entries to return. .IP "timelimit => N" 4 .IX Item "timelimit => N" A timelimit that restricts the maximum time (in seconds) allowed for a search. A value of 0 (the default), means that no timelimit will be requested. .IP "typesonly => 1" 4 .IX Item "typesonly => 1" Only attribute types (no values) should be returned. Normally attribute types and values are returned. .IP "filter => \s-1FILTER\s0" 4 .IX Item "filter => FILTER" A filter that defines the conditions an entry in the directory must meet in order for it to be returned by the search. This may be a string or a Net::LDAP::Filter object. Values inside filters may need to be escaped to avoid security problems; see Net::LDAP::Filter for a definition of the filter format, including the escaping rules. .IP "attrs => [ \s-1ATTR, ... \s0]" 4 .IX Item "attrs => [ ATTR, ... ]" A list of attributes to be returned for each entry that matches the search filter. .Sp If not specified, then the server will return the attributes that are specified as accessible by default given your bind credentials. .Sp Certain additional attributes such as \*(L"createTimestamp\*(R" and other operational attributes may also be available for the asking: .Sp .Vb 3 \& $mesg = $ldap\->search( ... , \& attrs => [\*(AqcreateTimestamp\*(Aq] \& ); .Ve .Sp To retrieve the default attributes and additional ones, use '*'. .Sp .Vb 3 \& $mesg = $ldap\->search( ... , \& attrs => [\*(Aq*\*(Aq, \*(AqcreateTimestamp\*(Aq] \& ); .Ve .Sp To retrieve no attributes (the server only returns the DNs of matching entries), use '1.1': .Sp .Vb 3 \& $mesg = $ldap\->search( ... , \& attrs => [\*(Aq1.1\*(Aq] \& ); .Ve .IP "control => \s-1CONTROL\s0" 4 .IX Item "control => CONTROL" .PD 0 .IP "control => [ \s-1CONTROL, ... \s0]" 4 .IX Item "control => [ CONTROL, ... ]" .PD See \*(L"\s-1CONTROLS\*(R"\s0 below. .IP "callback => \s-1CALLBACK\s0" 4 .IX Item "callback => CALLBACK" See \*(L"\s-1CALLBACKS\*(R"\s0 below. .IP "raw => \s-1REGEX\s0" 4 .IX Item "raw => REGEX" Use \s-1REGEX\s0 to denote the names of attributes that are to be considered binary in search results. .Sp When this option is given, Net::LDAP converts all values of attributes not matching this \s-1REGEX\s0 into Perl \s-1UTF\-8\s0 strings so that the regular Perl operators (pattern matching, ...) can operate as one expects even on strings with international characters. .Sp If this option is not given, attribute values are treated as byte strings. .Sp The value provided here overwrites the value inherited from the constructor. .Sp Example: raw => qr/(?i:^jpegPhoto|;binary)/ .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 5 \& $mesg = $ldap\->search( \& base => $base_dn, \& scope => \*(Aqsub\*(Aq, \& filter => \*(Aq(|(objectclass=rfc822mailgroup)(sn=jones))\*(Aq \& ); \& \& Net::LDAP::LDIF\->new( \e*STDOUT,"w" )\->write( $mesg\->entries ); .Ve .RE .IP "start_tls ( \s-1OPTIONS \s0)" 4 .IX Item "start_tls ( OPTIONS )" Calling this method will convert the existing connection to using Transport Layer Security (\s-1TLS\s0), which provides an encrypted connection. This is \fIonly\fR possible if the connection uses LDAPv3, and requires that the server advertises support for \&\s-1LDAP_EXTENSION_START_TLS.\s0 Use \&\*(L"supported_extension\*(R" in Net::LDAP::RootDSE to check this. .RS 4 .IP "verify => 'none' | 'optional' | 'require'" 4 .IX Item "verify => 'none' | 'optional' | 'require'" How to verify the server's certificate: .RS 4 .IP "none" 4 .IX Item "none" The server may provide a certificate but it will not be checked \- this may mean you are be connected to the wrong server .IP "optional" 4 .IX Item "optional" Verify only when the server offers a certificate .IP "require" 4 .IX Item "require" The server must provide a certificate, and it must be valid. .RE .RS 4 .Sp If you set verify to optional or require, you must also set either cafile or capath. The most secure option is \fBrequire\fR. .RE .IP "sslversion => 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv1_1' | 'tlsv1_2'" 4 .IX Item "sslversion => 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv1_1' | 'tlsv1_2'" This defines the version of the \s-1SSL/TLS\s0 protocol to use. Default is to use the value that IO::Socket::SSL uses as default. .Sp See \*(L"SSL_version\*(R" in IO::Socket::SSL for more details. .IP "ciphers => \s-1CIPHERS\s0" 4 .IX Item "ciphers => CIPHERS" Specify which subset of cipher suites are permissible for this connection, using the standard OpenSSL string format. The default behavior is to keep the decision on the underlying cryptographic library. .IP "clientcert => '/path/to/cert.pem'" 4 .IX Item "clientcert => '/path/to/cert.pem'" .PD 0 .IP "clientkey => '/path/to/key.pem'" 4 .IX Item "clientkey => '/path/to/key.pem'" .IP "keydecrypt => sub { ... }" 4 .IX Item "keydecrypt => sub { ... }" .PD If you want to use the client to offer a certificate to the server for \&\s-1SSL\s0 authentication (which is not the same as for the \s-1LDAP\s0 Bind operation) then set clientcert to the user's certificate file, and clientkey to the user's private key file. These files must be in \s-1PEM\s0 format. .Sp If the private key is encrypted (highly recommended) then keydecrypt should be a subroutine that returns the decrypting key. For example: .Sp .Vb 8 \& $ldap = Net::LDAP\->new( \*(Aqmyhost.example.com\*(Aq, version => 3 ); \& $mesg = $ldap\->start_tls( \& verify => \*(Aqrequire\*(Aq, \& clientcert => \*(Aqmycert.pem\*(Aq, \& clientkey => \*(Aqmykey.pem\*(Aq, \& keydecrypt => sub { \*(Aqsecret\*(Aq; }, \& capath => \*(Aq/usr/local/cacerts/\*(Aq \& ); .Ve .IP "capath => '/path/to/servercerts/'" 4 .IX Item "capath => '/path/to/servercerts/'" .PD 0 .IP "cafile => '/path/to/servercert.pem'" 4 .IX Item "cafile => '/path/to/servercert.pem'" .PD When verifying the server's certificate, either set capath to the pathname of the directory containing \s-1CA\s0 certificates, or set cafile to the filename containing the certificate of the \s-1CA\s0 who signed the server's certificate. These certificates must all be in \s-1PEM\s0 format. .Sp The directory in 'capath' must contain certificates named using the hash value of the certificates' subject names. To generate these names, use OpenSSL like this in Unix: .Sp .Vb 1 \& ln \-s cacert.pem \`openssl x509 \-hash \-noout < cacert.pem\`.0 .Ve .Sp (assuming that the certificate of the \s-1CA\s0 is in cacert.pem.) .IP "checkcrl => 1" 4 .IX Item "checkcrl => 1" If capath has been configured, then it will also be searched for certificate revocation lists (CRLs) when verifying the server's certificate. The CRLs' names must follow the form \fBhash\fR.r\fBnum\fR where \fBhash\fR is the hash over the issuer's \s-1DN\s0 and \fBnum\fR is a number starting with 0. .Sp See \*(L"SSL_check_crl\*(R" in IO::Socket::SSL for further information. .RE .RS 4 .RE .IP "unbind ( )" 4 .IX Item "unbind ( )" The unbind method does not take any parameters and will unbind you from the server. Some servers may allow you to re-bind or perform other operations after unbinding. If you wish to switch to another set of credentials while continuing to use the same connection, re-binding with another \s-1DN\s0 and password, without unbind-ing, will generally work. .Sp \&\fBExample\fR .Sp .Vb 1 \& $mesg = $ldap\->unbind; .Ve .IP "done ( )" 4 .IX Item "done ( )" Convenience alias for \f(CW\*(C`unbind()\*(C'\fR, named after the clean-up method of Net::LDAP::LDIF. .PP The following methods are for convenience, and do not return \&\f(CW\*(C`Net::LDAP::Message\*(C'\fR objects. .IP "async ( \s-1VALUE \s0)" 4 .IX Item "async ( VALUE )" If \f(CW\*(C`VALUE\*(C'\fR is given the async mode will be set. The previous value will be returned. The value is \fItrue\fR if \s-1LDAP\s0 operations are being performed asynchronously. .IP "certificate ( )" 4 .IX Item "certificate ( )" Returns an X509_Certificate object containing the server's certificate. See the IO::Socket::SSL documentation for information about this class. .Sp For example, to get the subject name (in a peculiar OpenSSL-specific format, different from \s-1RFC 1779\s0 and \s-1RFC 4514\s0) from the server's certificate, do this: .Sp .Vb 1 \& print "Subject DN: " . $ldaps\->certificate\->subject_name . "\en"; .Ve .IP "cipher ( )" 4 .IX Item "cipher ( )" Returns the cipher mode being used by the connection, in the string format used by OpenSSL. .IP "debug ( \s-1VALUE \s0)" 4 .IX Item "debug ( VALUE )" If \f(CW\*(C`VALUE\*(C'\fR is given the debug bit-value will be set. The previous value will be returned. Debug output will be sent to \f(CW\*(C`STDERR\*(C'\fR. The bits of this value are: .Sp .Vb 4 \& 1 Show outgoing packets (using asn_hexdump). \& 2 Show incoming packets (using asn_hexdump). \& 4 Show outgoing packets (using asn_dump). \& 8 Show incoming packets (using asn_dump). .Ve .Sp The default value is 0. .IP "disconnect ( )" 4 .IX Item "disconnect ( )" Disconnect from the server .IP "root_dse ( \s-1OPTIONS \s0)" 4 .IX Item "root_dse ( OPTIONS )" The root_dse method retrieves cached information from the server's rootDSE. .RS 4 .IP "attrs => [ \s-1ATTR, ... \s0]" 4 .IX Item "attrs => [ ATTR, ... ]" A reference to a list of attributes to be returned. If not specified, then the following attributes will be requested .Sp .Vb 8 \& subschemaSubentry \& namingContexts \& altServer \& supportedExtension \& supportedFeatures \& supportedControl \& supportedSASLMechanisms \& supportedLDAPVersion .Ve .RE .RS 4 .Sp The result is an object of class Net::LDAP::RootDSE. .Sp \&\fBExample\fR .Sp .Vb 5 \& my $root = $ldap\->root_dse; \& # get naming Context \& $root\->get_value( \*(AqnamingContexts\*(Aq, asref => 1 ); \& # get supported LDAP versions \& $root\->supported_version; .Ve .Sp As the root \s-1DSE\s0 may change in certain circumstances \- for instance when you change the connection using start_tls \- you should always use the root_dse method to return the most up-to-date copy of the root \&\s-1DSE.\s0 .RE .IP "schema ( \s-1OPTIONS \s0)" 4 .IX Item "schema ( OPTIONS )" Read schema information from the server. .Sp The result is an object of class Net::LDAP::Schema. Read this documentation for further information about methods that can be performed with this object. .RS 4 .IP "dn => \s-1DN\s0" 4 .IX Item "dn => DN" If a \s-1DN\s0 is supplied, it will become the base object entry from which the search for schema information will be conducted. If no \s-1DN\s0 is supplied the base object entry will be determined from the rootDSE entry. .RE .RS 4 .Sp \&\fBExample\fR .Sp .Vb 5 \& my $schema = $ldap\->schema; \& # get objectClasses \& @ocs = $schema\->all_objectclasses; \& # Get the attributes \& @atts = $schema\->all_attributes; .Ve .RE .IP "sasl ( )" 4 .IX Item "sasl ( )" Returns the \f(CW\*(C`Authen::SASL\*(C'\fR object associated with the \s-1LDAP\s0 object, or \f(CW\*(C`undef\*(C'\fR if there isn't. .IP "socket ( \s-1OPTIONS \s0)" 4 .IX Item "socket ( OPTIONS )" Returns the underlying socket object being used. .Sp The exact object type returned depends on whether \s-1SASL\s0 layers are established. Without \s-1SASL\s0 layers the result is always an \f(CW\*(C`IO::Socket\*(C'\fR object; with \s-1SASL\s0 layers the outcome depends on the options given: .RS 4 .IP "sasl_layer => \s-1FLAG\s0" 4 .IX Item "sasl_layer => FLAG" This option is only relevant if \s-1SASL\s0 layers are established. .Sp If it it missing or if is set to a \s-1TRUE\s0 value, then the \s-1SASL\s0 layer handle is returned. Depending on the \s-1SASL\s0 library used, the object returned is not necessarily an \f(CW\*(C`IO::Socket\*(C'\fR object. .Sp If it exists, but is set to a value evaluating to \s-1FALSE,\s0 then the base \f(CW\*(C`IO::Socket\*(C'\fR object underneath the \s-1SASL\s0 layer is returned. .RE .RS 4 .RE .IP "host ( )" 4 .IX Item "host ( )" Returns the host to which the connection was established. For \s-1LDAPI\s0 connections the socket path is returned. .IP "port ( )" 4 .IX Item "port ( )" Returns the port connected to or \f(CW\*(C`undef\*(C'\fR in case of \s-1LDAPI\s0 connections. .IP "uri ( )" 4 .IX Item "uri ( )" Returns the \s-1URI\s0 connected to. .Sp As the value returned is that element of the constructor's \s-1HOST\s0 argument with which the connection was established this may or may not be a legal \s-1URI.\s0 .IP "scheme ( )" 4 .IX Item "scheme ( )" Returns the scheme of the connection. One of \fIldap\fR, \fIldaps\fR or \fIldapi\fR. .IP "sync ( \s-1MESG \s0)" 4 .IX Item "sync ( MESG )" Wait for a given \f(CW\*(C`MESG\*(C'\fR request to be completed by the server. If no \&\f(CW\*(C`MESG\*(C'\fR is given, then wait for all outstanding requests to be completed. .Sp Returns an error code defined in Net::LDAP::Constant. .IP "process ( \s-1MESG \s0)" 4 .IX Item "process ( MESG )" Process any messages that the server has sent, but do not block. If \f(CW\*(C`MESG\*(C'\fR is specified then return as soon as \f(CW\*(C`MESG\*(C'\fR has been processed. .Sp Returns an error code defined in Net::LDAP::Constant. .IP "version ( )" 4 .IX Item "version ( )" Returns the version of the \s-1LDAP\s0 protocol that is being used. .SH "CONTROLS" .IX Header "CONTROLS" Many of the methods described above accept a control option. This allows the user to pass controls to the server as described in LDAPv3. .PP A control is a reference to a \s-1HASH\s0 and should contain the three elements below. If any of the controls are blessed then the method \f(CW\*(C`to_asn\*(C'\fR will be called which should return a reference to a \s-1HASH\s0 containing the three elements described below. .PP For most purposes Net::LDAP::Control objects are the easiest way to generate controls. .IP "type => \s-1OID\s0" 4 .IX Item "type => OID" This element must be present and is the name of the type of control being requested. .IP "critical => \s-1FLAG\s0" 4 .IX Item "critical => FLAG" critical is optional and should be a Boolean value, if it is not specified then it is assumed to be \fIfalse\fR. .IP "value => \s-1VALUE\s0" 4 .IX Item "value => VALUE" If the control being requested requires a value then this element should hold the value for the server. .SH "CALLBACKS" .IX Header "CALLBACKS" Most of the above commands accept a callback option. This option should be a reference to a subroutine. This subroutine will be called for each packet received from the server as a response to the request sent. .PP When the subroutine is called the first argument will be the Net::LDAP::Message object which was returned from the method. .PP If the request is a search then multiple packets can be received from the server. Each entry is received as a separate packet. For each of these the subroutine will be called with a Net::LDAP::Entry object as the second argument. .PP During a search the server may also send a list of references. When such a list is received then the subroutine will be called with a Net::LDAP::Reference object as the second argument. .SH "LDAP ERROR CODES" .IX Header "LDAP ERROR CODES" \&\fBNet::LDAP\fR also exports constants for the error codes that can be received from the server, see Net::LDAP::Constant. .SH "SEE ALSO" .IX Header "SEE ALSO" Net::LDAP::Constant, Net::LDAP::Control, Net::LDAP::Entry, Net::LDAP::Filter, Net::LDAP::Message, Net::LDAP::Reference, Net::LDAP::Search, Net::LDAP::RFC .PP The homepage for the perl-ldap modules can be found at http://ldap.perl.org/. .SH "ACKNOWLEDGEMENTS" .IX Header "ACKNOWLEDGEMENTS" This document is based on a document originally written by Russell Fulton . .PP Chris Ridd for the many hours spent testing and contribution of the ldap* command line utilities. .SH "MAILING LIST" .IX Header "MAILING LIST" A discussion mailing list is hosted by the Perl Foundation at No subscription is necessary! .SH "BUGS" .IX Header "BUGS" We hope you do not find any, but if you do please report them to the mailing list. .PP If you have a patch, please send it as an attachment to the mailing list. .SH "AUTHOR" .IX Header "AUTHOR" Graham Barr .SH "COPYRIGHT" .IX Header "COPYRIGHT" Copyright (c) 1997\-2004 Graham Barr. All rights reserved. This program is free software; you can redistribute it and/or modify it under the same terms as Perl itself.