There are several software libraries currently available for developing LDAP clients. Netscape's LDAP C SDK and the University of Michigan LDAP C tool library (http://www.umich.edu/~dirsvcs/1dap) can be used to develop LDAP stand-alone client applications. Web-based LDAP clients can be developed either as Java applets with the Netscape Java SDK for LDAP or as COM objects with Microsoft ASP (Active Server Pages) and the ADSI (Active Directory Service Interfaces) COM library.
The Netscape SDKs
The Netscape C SDK
The Netscape C LDAP SDK provides a set of APIs for LDAP clients on Unix, MacOs, and Microsoft Windows. The following core LDAP operations are supported by the library and documented in RFC 1823 [6]:
- interrogation — search and compare entries in the directory
- update — create, delete, and modify entries and modify RDN
- connection and authentication — bind, unbind, and abandon the directory service
Search operations return a list of entries based on user-defined parameters such as the search base (similar to the SQL FROM clause), scope (also similar to SQL FROM), search filter (similar to the SQL WHERE clause) and the attributes to return (similar to the SQL SELECT clause). It is also possible to limit the number of the returned entries and the time allocated for the search.
An entry and/or its values can be created, deleted, and modified. Update operations maintain data integrity; the adding operation is possible only for new entries and only if the parent for the entry already exists.
The bind operation enables the client to identify herself to the directory. The user will be authenticated and the client will bind to the LDAP session by supplying a user DN and password. The unbind operation is used to end the session, while the abandon operation is used to cancel an operation already in progress. Some connection and authentication operations have been simplified in LDAP v3, in which the client need not start a session with a bind request. In LDAP v3 it is also possible to extend LDAP operations that are not otherwise defined.
After the client has been authenticated, the server will return a connection handle to the client and the connection between the client and the server will be established. Once the client requests access to the entries in the directory service, ACLs (Access Control Lists) for the entry will be consulted to determine if the identified user has the appropriate permissions to complete the requested operation. ACLs are implemented differently by each directory service vendor, since the current LDAP standard does not address access control.
Netscape Java Packages
The Netscape LDAP Java SDK provides a set of Java classes that can be used to write LDAP clients, either as Java applets or as stand-alone applications. The classes are organized in packages that provide standard LDAP operations (connect to an LDAP server, manipulate entries and attributes, and retrieve search results). The Java distribution also provides LDAP v3 controls to request server-side sorting and persistent searches, parsing, regular expression matching, and authentication through SASL (Simple Authentication and Security Layer) documented in RFC 2222 [6]. In the case of the development of clients that need to support vendor-specific LDAP data schemas, the JNDI (Java Native Directory Interface) package is also available to Java application developers.
For more information on Netscape LDAP SDKs you can visit the URL: http://developer.netscape.com/tech/directory/. The source code is also available from http://www.mozilla.org/directory.
ADSI-Based ASP Web Pages
Microsoft ADSI (http://www.microsoft.com/adsi/) provides a set of APIs to build client code that views and manages network resources distributed across different data servers such as NT 4.0, NT 5.0, LDAP, and Novell Netware 3.X and 4.X. ADSI conforms to Microsoft COM and also supports LDAP. A set of ADSI objects is mapped to the namespace of the persistent data where the object data is stored. Each ADSI object is a collection of COM interfaces and each interface has methods that can be used to manipulate such objects. The business logic to connect to the directory service and to perform LDAP operations can be written into ASP [1] with scripting languages such as VBScript or Microsoft's ECMA standard Javascript.