This chapter is from the book
This chapter is from the book
This chapter is from the book
Advanced Features
The following sections describe some of the more advanced features available within LDAP and Active Directory. LDAP Controls are a very important topic and are used extensively within Active Directory. Controls allow LDAP to be extended to do things it may not have originally been intended to do, such as server-side sorting. Referrals are another useful feature because it allows requests to be redirected to another server, if the requested server does not have the data necessary to fully answer the client. Lastly, Change Notification and DirSync are used for tracking changes in Active Directory.
Controls
Controls are used to extend the core functionality provided by LDAP. They allow LDAP directory vendors to add their own extensions and capabilities to an LDAP server without actually modifying the core protocol. A control is sent as part of a client request, such as a search, and if the server supports the control, it will do special processing on the request.
The server-side sorting control (RFC 2891) is a commonly implemented control that is available in Active Directory. If a client specifies the sort control, the server will return search results sorted based on the attribute specified in the control. Listing 3.7 is an example of using the server-side sort control with Net::LDAP to return all user objects sorted by their cn attribute.
Listing 3.7 Using the Server-Side Sort with Net::LDAP Returns All Objects Sorted by Their cn Attribute
use Net::LDAP;
use Net::LDAP::Control;
use Net::LDAP::Constant qw( LDAP_CONTROL_SORTREQUEST );
$ldap = Net::LDAP->new('dc1.xyz.com')
or die "Could not connect: $@";
$search = $ldap->bind('administrator@xyz.com', password => 'foobar');
die $search->error if $mesg->code
$sort = Net::LDAP::Control->new( LDAP_CONTROL_SORTREQUEST, order => 'cn');
$search = $ldap->search(
base => "cn=users,dc=xyz,dc=com",
scope => "subtree",
filter => "(&(objectClass=user)(objectCategory=Person))",
control => [ $sort ] );
print $entry->get_value('cn'),"\n" foreach $entry $search->entries;
$ldap->unbind;
The page control (RFC 2696) is another useful control available in Active Directory. Paging allows the client to control the rate at which data is returned from searches. Without paging enabled, clients cannot retrieve more objects than the administrative limit for the server (default is 1,000).
Microsoft implemented fifteen controls within Active Directory. Some of these include the server side sorting and paged results previously mentioned, along with tree delete and cross-domain object move just to name a couple more. For a complete list of controls implemented within Active Directory, see Appendix C. The list of supported controls in OID format is also available in the supportedControls attribute in the RootDSE.
Listing 3.8 is a combination of the server-side sort and page controls that return all the user objects, 100 at a time, sorted by their last name (sn attribute).
Listing 3.8 Combining the Server-Side Sort and Page Controls to Return 100 Objects at a Time
use Net::LDAP
use Net::LDAP::Control;
use Net::LDAP::Constant qw( LDAP_CONTROL_PAGED LDAP_CONTROL_SORTREQUEST );
$ldap = Net::LDAP->new('dc1.xyz.com', port=>3268)
or die "Could not connect: $@";
$search = $ldap->bind('administrator@xyz.com', password => 'password');
die $search->error if $search->code;
$page = Net::LDAP::Control->new( LDAP_CONTROL_PAGED, size => 100);
$sort = Net::LDAP::Control->new( LDAP_CONTROL_SORTREQUEST, order => 'sn');
@args = ( base => "cn=users,$base_dn",
scope => "subtree",
filter => "(&(objectClass=user)(objectCategory=Person))",
control => [ $sort, $page ] );
while (defined ($mesg = $ldap->search( @args )) ) {
print "Count: ",$mesg->count,"\n";
foreach $entry ($mesg->entries) {
print $entry->get_value('cn'),"\n";
}
($resp) = $mesg->control( LDAP_CONTROL_PAGED );
last unless $page->cookie($resp->cookie);
}
$ldap->unbind;
Referrals
An important feature called referrals was added into the LDAP v3 specification. Referrals are used by servers to direct clients to an alternate location if the server cannot process the request. This is sometimes seen in Active Directory when a search is performed for a domain naming context which the server does not have. Most LDAP clients provide an option to automatically chase referrals when found.
Change Notification and DirSync
Microsoft implemented two LDAP controls to help track change within Active Directory. The change notification control is utilized by issuing a persistent asynchronous search against Active Directory. The control will notify or send messages to the client when it recognizes a change to an object that matches a predefined search filter. The DirSync control allows a client to retrieve changes that have occurred since the last DirSync operation was performed. DirSync is geared more toward polling for changes unlike change notification which maintains a persistent connection and notifies as change happens.