ldapid ldap_open( string host [, int port [, boolean trace]] )
ldap_open opens a connection to the LDAP server on the specified host (identified by hostname or IP address) and port number. The default port number is 389. Use the returned LDAP connection ID as the first parameter to the other LDAP functions.
If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.
If successful, it returns a valid LDAP connection ID; otherwise it returns an undefined variable.
The ldap_open library function has been deprecated in the open LDAP libraries. If supported by the installed LDAP library, the ldap_open policy function calls ldap_initialize in preference to ldap_open. However, ldap_initialize does not open the connection - the connection is opened by the first operation attempted, so ldap_initialize will succeed even if given an invalid host name. The ldap_open policy function displays the loaded LDAP library path if a value of 1 is passed as the trace parameter to ldap_open. This makes it easier to determine which LDAP library is used.
ldap = ldap_open( 'ldap.host' );
if( !defined ldap ){
reject "Connection to LDAP server failed" ;
} ldapresult ldap_search(int ldapid, string basedn, string scope, string filter [, list attrList [, int attrOnly[, boolean trace]]] )
ldap_search performs a search in the LDAP directory starting at the location identified by basedn. The ldapid is a valid connection ID returned by ldap_open.
The optional attrList parameter is the list of attributes to return in the results. This defaults to an empty list. The filter contains the LDAP search string, in the format described in RFC 4526.
The optional attrOnly parameter is a true or false value. When true, the results contain only the attribute; when false the results return attributes and values. Default setting is true.
Possible search scope:
If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.
Returns a special type ldapresult containing the results of the search in a format that you can pass to the ldap_first_entry and ldap_next_entry functions.
#search for all Users at base level
searchresults= ldap_search( ldapid, "ou=Users,dn=ldap,dn=domain,dn=com",
'onelevel', '(objectClass=*)' );
if (ldap_count_results(ldapid, searchresults) == 0)
{
reject "Found no users";
}ldap_unbind (int ldapid[, boolean trace] )
ldap_unbind closes the LDAP connection and frees all associated resources. The ldapid must be a valid LDAP connection returned by ldap_open.
If the optional trace parameter is set to true, any errors or warnings from the LDAP function are written to stdout.
ldapid = ldap_open( 'ldap.host' );
if( defined ldapid ){
rc=ldap_bind(ldapid, "cn=admin", "Secretpassword");
if ((defined rc) && (rc == 0)){
rc=func_search_for_user(ldapid);
ldap_unbind(ldapid);
}
}The pmpolicy language supports the use of LDAP calls to obtain data on the following platforms:
The pmpolicy LDAP functions follow, as closely as possible, the API outlined in RFC 1823 to ensure compatibility and ease of understanding.
The feature_enabled() function indicates whether the LDAP functions are available on a particular policy server.
The following example illustrates the use of the LDAP functions.
if (!feature_enabled(FEATURE_LDAP) {
print("LDAP support is not available on this policy server");
} else {
ld_user = "cn=Directory Manager";
ld_passwd = "password";
ld_host = "ldapserver";
BASEDN="ou=People,dc=skynet,dc=local";
SCOPE="onelevel";
FILTER="(objectClass=*)";
ATTRLIST={};
ATTRONLY=false;
print( "LDAP Server: " + ld_host );
print( " User DN: " + ld_user );
print( " Password: " + ld_passwd );
print( "" );
print( " Base DN: " + BASEDN );
print( " Scope: " + SCOPE );
print( " Filter: " + FILTER );
print( "" );
# Open a connection to the directory server
ldapid = ldap_open( ld_host );
if( ldapid < 0 ) {
print( "ldap_open failed" );
reject;
}
# bind to the directory
rc = ldap_bind( ldapid, ld_user, ld_passwd );
if( rc==0 ) {
# perform the search
ld_results = ldap_search( ldapid, BASEDN, SCOPE, FILTER, ATTRLIST, ATTRONLY );
if( ld_results >= 0 ) {
# how many results have been returned?
num = ldap_count_entries( ldapid, ld_results );
str = sprintf( "Num results = %d", num );
print(str);
print("");
print("RESULTS");
print("");
if( num>0 ) {
# Grab the first entry from the results
lentry = ldap_first_entry( ldapid, ld_results );
while( lentry ) {
# print the DN
dn = ldap_get_dn( ldapid, ld_results );
print("---- START OF ENTRY (" + dn + ") ----");
e = ldap_explode_dn( dn );
print( " Exploded DN: " + join( e, ', ' ) );
e = ldap_explode_dn( dn, 1 );
print( "Exploded DN, no type names: " + join( e, ', ' ) );
print( " User Friendly form: " + ldap_dn2ufn( dn ) );
print("");
oc = ldap_get_values( ldapid, lentry, "objectClass" );
if( "inetorgperson" in oc ) {
gn = ldap_get_values( ldapid, lentry, "givenname" );
sn = ldap_get_values( ldapid, lentry, "sn" );
print( " Found a person, Name = " + gn[0] + " " + sn[0] );
}
attrs = ldap_get_attributes( ldapid, lentry );
print( "Attributes: " + join(attrs, ", ") );
# Move through each attibute for the entry
attr = ldap_first_attribute( ldapid, lentry );
while( attr != '' ) {
print(" ATTR: " + attr );
# Print the values for the given attribute
values = ldap_get_values( ldapid, lentry, attr );
print( " VALUES = { " + join(values, ", ") + " }" );
# move to the next attibute
attr = ldap_next_attribute( ldapid, lentry );
}
# move to the next entry
lentry = ldap_next_entry( ldapid, ld_results );
print("---- END OF ENTRY (" + dn + ") ---- ");
print("");
}
print("");
}
print("-- END OF RESULTS --");
}
} else {
print( "ldap_bind failed" );
reject;
}
rc = ldap_unbind( ldapid );
str = sprintf( "rc = %d", rc );
print(str);
}
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Conditions d’utilisation Confidentialité Cookie Preference Center