Original URL: https://www.theregister.com/2008/02/18/ldap_php/

Build a directory service for web-based services

OpenLDAP for the people

By Deepak Vohra

Posted in Channel, 18th February 2008 06:02 GMT

Hands on A directory service is an application that lets you store, retrieve and modify information about network-attached resources such as users.

If you want to keep a directory of company employees, for example, you would use a directory service instead of storing that information directly in a database. A directory service is created in a directory server, which is built on top of the database.

Directory servers are equally useful online, for use in web-based services like social networks.

In this article I shall create a directory service using PHP, one of the internet's most popular scripting languages, and OpenLDAP directory server - part of the ubiquitous OpenLDAP suite used in Linux distributions and vendors' software.

I have picked OpenLDAP because it's an open source package, meaning the code is easy to grab and use, and because it's easier to install and use than commercial directory servers such as Oracle Internet Directory server or IBM's Tivoli directory server.

Get up to speed

First, some basic - but essential - orientation. As I mentioned, the actual user data is stored in a database - a directory service is an abstract layer that sits on top of the database.

Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services and that also defines operations for adding, searching, modifying and deleting directory entries. A "directory entry" is a set of attributes identified by a globally unique Distinguished Name (DN). Each of a directory entry's attributes has a type and one or more values.

Some examples of attribute types are discussed in the following table:

Attribute Type Description
o Organization
dc Domain component
ou Organizational unit
cn Common name
uid Userid
dn Distinguished name
mail Email address

The attributes in a directory entry's DN are arranged in a hierarchy from right to left, with the right-most attributes as the base entry and the left-most attributes called Relative Distinguished Name (RDN). A DN is a sequence of RDNs. An example of a DN is as follows.

cn=dvohra,dc=example,dc=com

In this example, the base entry/root is dc=example,dc=com, and the RDN is cn=dvohra.

Ok, now let's get started. First, install Apache HTTP Server 2.3.2 and PHP 5.2. Enable the PHP LDAP extension in php.ini configuration file.

extension=php_ldap.dll

Install OpenLDAP

Download and install OpenLDAP for Windows operating system. Also install LDAP Browser/Editor. Specify the following directives in the C:\Program Files\OpenLDAP\slapd.conf file.

database   bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
rootpw          netldap

Start/Restart the OpenLDAP Directory service. Start the OpenLDAP slapd server.

C:\Program Files\OpenLDAP> .\slapd -d 1

LDAP entries are represented in LDAP Data Interchange Format (LDIF). Create the base entry using a ldif file, baseentry.ldif, and ldapadd tool.

C:\Program Files\OpenLDAP>ldapadd  -D "cn=Manager,dc=example,dc=com" -v -w netldap  -f  baseentry.ldif

Double click on the lbe.bat file to start the LDAP Browser, which displays the base directory entry. Directory entries may be added to the base entry.

base directory entry

Base directory entry

Create a directory entry

Next, we shall create directory entries in the OpenLDAP LDAP server. Let's, for our example, create a directory of members of a social network of PHP developers, PHPNetwork. We shall use the following dn as the root/base DN.

dc=example,dc=com

The objectclass attribute specifies the data type, and required and optional attributes in an entry. More than one object classes may be specified in the objectclass attribute. Object classes form a class hierarchy and each objectclass has required and optional attributes. The object classes supported by OpenLDAP server are specified in the C:\Program Files\OpenLDAP\schema\core.schema file. We shall create a directory service using the top, person, organizationalPerson, object classes. The top object class does not have any required attributes. Object class person has required attributes cn and sn. Object class organizationalPerson does not have any required attributes and some of the optional attributes of organizationalPerson are title, telephoneNumber, postalCode, and postalAddress.

Create an HTML page, addEntry.html, to input a directory entry's values. Create a PHP script, add_entry.php. Connect with the OpenLDAP LDAP server using ldap_connect() .

$ldaphost = "localhost";  
$ldapport = 389;               
$ldapconn = ldap_connect($ldaphost, $ldapport);

The ldap_connect() function only initializes the connection parameters and returns a connection resource, but does not actually connect with the LDAP server. Set the LDAP protocol version to three using LDAP_OPT_PROTOCOL_VERSION.

ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);

Next, bind to the LDAP server using the connection resource in ldap_bind().

$r=ldap_bind($ldapconn," cn=Manager, "cn=Manager,dc=example,dc=com","netldap");

Create a directory entry variable consisting of an array of attributes. For example, the cn attribute is specified as follows.

$directory_entry["cn"]=$_GET['cn'];

In the directory entry for a PHPNetwork member we shall be setting the attributes, cn, sn, title, postalCode, and postalAddress. If an attribute has more than one value the attribute values are specified using a two-dimensional array, as for the objectclass attribute.

$directory_entry["objectclass"][0]="top";
$directory_entry["objectclass"][1]="person";
$directory_entry["objectclass"][3]="organizationalPerson";

Specify the dnof the directory entry to be added.

$dn="cn=".$_GET['cn'].",dc=example,dc=com";

Add the directory entry to the LDAP directory using ldap_add().

$r=ldap_add($ldapconn, $dn, $directory_entry);

Run addEntry.html in a browser. Specify a directory entry's values and click on Add Entry.

Adding a directory entry

Adding a directory entry

The directory entries added to the OpenLDAP server get listed in the LDAP Browser.

New directory entry

New directory entry

Modify a directory entry

Create a PHP script, modify_entry.php, to modify a directory entry. Create a connection resource and bind with the LDAP directory. Create a directory entry variable consisting of an array of attributes with the modified values. For example, modify the "title" attribute value and the "telephoneNumber" attribute value. The attribute values are obtained from an input HTML form, modifyEntry.html

$directory_entry["title"]=$_GET['title'];
$directory_entry["telephoneNumber"]=$_GET[' telephoneNumber'];

A directory entry is identified with a distinguished name. Specify the dn of the directory entry to modify.

$dn="cn=".$_GET['cn'].",dc=example,dc=com";

Modify the directory entry with ldap_modify().

$r=ldap_modify($ldapconn,$dn, $directory_entry);

Run the input form to modify a directory entry in a browser. Specify the modified values and click on Modify Entry. The directory entry values should now be modified.

Search a directory entry

In this section we will use a PHTML (PHP embedded in HTML) script to search for a directory entry and display the result. Add the .phtml extension to the AddType configuration directive in httpd.conf file and restart Apache web server.

AddType application/x-httpd-php .php .phtml

Create a PHTML script, search_entry.phtml and create a connection resource and bind with the directory server. Next, specify an attribute array, which specifies attributes to be retrieved. By default, all the attributes are retrieved.

$attribute_array=array("cn", "sn", "title", "telephoneNumber","postalCode","postalAddress");

Specify the dn of the directory entry to search. The cn attribute value is specified in an input form searchEntry.html.

$dn="cn=".$_GET['cn'].",dc=example,dc=com";

Specify a filter for the search. For example, specify a filter that searches for all object classes.

$filter = "(objectclass=*)";

Search the directory using ldap_search().

$sr=ldap_search($ldapconn,$dn, $filter, $attribute_array);

Retrieve the directory entries in the search result using ldap_get_entries().

$directory_entries= ldap_get_entries($ldapconn, $sr);

Create an HTML table to display the search result. Run the searchEntry.html page in a browser. Specify the first name of a member. The member information for the specified member name should now be displayed.

Search result

Search result

A directory entry may be deleted using ldap_delete().

That's it. You now know how create a directory service for users of an online service, such a social network, using PHP with OpenLDAP.®