printf(”

“); } Standard mechanism to print out an error message in HTML: function displayErrMsg($message) { printf(”

%s

n”, $message); } This function encapsulates the connection to the LDAP server and also the binding to the appropriate part of the DN tree: function connectBindServer($bindRDN = 0, $bindPassword = 0) { global $ldapServer; global $ldapServerPort; $linkIdentifier = ldap_connect($ldapServer, $ldapServerPort); if ($linkIdentifier) { If no RDN and password is specified, we attempt an anonymous bind, else we bind using the provided credentials: if (!$bindRDN && !$bindPassword) { if (!@ldap_bind($linkIdentifier)) { displayErrMsg(”Unable to bind to LDAP server !!”); return 0; } } else { if (!ldap_bind($linkIdentifier, $bindRDN, $bindPassword)) { displayErrMsg(”Unable to bind to LDAP server !!”); return 0; } } } else { Page 513

Hint: This post is supported by Gama web hosting php mysql provider

vlink=”#551A8B” alink=”#FF0000″>n”); printf(”

Foo Widgets Employee Directory

“); printf(”

“, $message); printf(”

“); printf(”

“); printf(”
“); printf(”
“); } This function generates the first page seen in the earlier screenshot. It outputs an HTML form which allows the user to choose between searching for entries or adding a new entry: function generateFrontPage() { printf(”

suit our environment: As mentioned earlier, empdir_functions.php has a common set of functions used by other scripts. The functions are of two types display related functions that print the HTML and utility functions such as those that encapsulate the logic of connecting and binding to the directory: “); printf(”

Hint: If you are looking for very good and affordable webspace to host and run your tomcat hosting application check Sandzak.com tomcat web hosting provider

A Sample LDAP Application in PHP So we finally get down to putting to some practical purpose what we have gleaned through the course of this chapter. We will develop an application that will export the directory information for the employees of our favorite company Foo Widgets Inc. Let us look at what could be the possible requirements and design considerations for such an application: . There are two categories of users regular employees and the directory administrator. . The application should allow a regular employee to search entries corresponding to all other employees and to modify the entry corresponding to them. . The administrator should have exclusive priveleges unavailable to regular employees to create new entries and delete existing entries. . The application should use an LDAP directory as the back-end. . It should have a simple front-end, with all complexity moved to the back-end. It should ideally be browser-independent. . A set of common utility functions first, upon which to build the application itself. The script below is the first that gets invoked as part of launching the application: This is how the initial screen would look to the user: The script empdir_common.php contains some site-specific information that we need to customize to Page 510

Hint: If you are looking for very good and affordable webspace to host and run your java hosting application check Sandzak.com java web hosting provider

Error Functions These functions are useful in identifying error conditions within our scripts. They are designed to allow us to write scripts that are independent of the locale or specifically the local language in which the error messages are represented. ldap_errno() int ldap_errno(int link_identifier) Often we need to check the error value of the last executed function. This value is available to us by calling the ldap_errno() function. The return value of this function can be passed to the ldap_ err2str()function to obtain a string describing the error. ldap_error() string ldap_error(int link_identifier) This function merely combines the functionality of the ldap_errno() and the ldap_err2str() functions, that is it returns a string describing the error if any occurred while executing the last function. The link_identifier argument is available because it is possible that since the application might open connections to more than one LDAP server, we need a mechanism to examine error conditions associated with each of the connections. ldap_err2str() string ldap_err2str(int errno) ldap_err2str() returns a descriptive error string when supplied with an argument that is an error number. This is especially useful when running localized applications where the error messages may be in a local language. Programs can therefore check for error numbers rather than error strings. Page 509
Note: If you are looking for good and quality webspace to host and run your java application check professional java hosting services

schema. Objectclass attributes define what attributes are required and which ones are simply allowed (such as, optional). The link_identifieris the connection identifier that is returned by the ldap_connect()function. The new entry to be added needs a DN that is specified as the second argument. The third argument passed is an array consisting of attributes and values of the new entry. If we take the example of the LDIF for FooWid, the entry array would be: entry[”cn”] = “Don Joe III”; entry[”mail”] = “djoe@exist.com”; entry[”description”] = “Professional bungee-jumper”; … ldap_mod_add() int ldap_mod_add(int link_identifier, string dn, array entry) This function adds attribute values to the existing attributes of the specified DN. It performs the modification at the attribute level as opposed to the object level. Object level additions are done by the ldap_add() function, that is, if we needed to add a telephone number to an entry, we would use this function, whereas to add a completely new entry we would rely on ldap_add(). It returns trueon success and falseon error. ldap_mod_del() int ldap_mod_del(int link_identifier, string dn, array entry) This function removes attribute values from the specified DN. It performs the modification at the attribute level as opposed to the object level. Object level deletions are done by the ldap_del() function, that is if we needed to delete the room number of an entry corresponding to an employee, we would use this function, whereas to completely delete an employee entry, we would rely on ldap_del(). It returns true on success and falseon error. ldap_delete() boolean ldap_delete(int link_identifier, string dn) ldap_delete() deletes a particular entry in the LDAP directory specified by the DN. It returns true on success and false on error. Usually LDAP servers are configured such that this is only allowed for as few users as is specified in the LDAP server’s ACL. ldap_modify() boolean ldap_modify(int link_identifier, string dn, array entry); ldap_modify() is used to modify the existing entries in the LDAP directory. The structure of the entry is same as in ldap_add(). It returns true on success and falseon error. Modifications are only allowed for authenticated users. The server’s ACL usually allows different users to modify different attributes. For example, all users might only be allowed to change their password, while a user’s manager might be able to change a user’s office number and job title, and only a select group (for example the directory administrators) can edit any attribute. All modifications must follow the server’s schema. A modification can take the form of an add, replace, or delete action. Special care must be taken with replacing multi-valued attributes because if we replace an attribute with multi-values with a single value, we will be in effect replacing all of its values. Page 508
Note: If you are looking for cheap and inexpensive provider to host and run your tomcat application check professional tomcat hosting services

[, array attributes [, int attrsonly [, int sizelimit [, int timelimit [, int deref]]]]]) When we perform a search, we need to specify the base of the tree where the search should begin and also the scope of the search. The scope indicates what part of the tree is to be covered while searching. ldap_list() performs the search for a specified filter on the directory with the scope, LDAP_SCOPE_ ONELEVEL. This means that the search should only return information that is at the level immediately below the base DN given in the call (equivalent to typing ls on a UNIX shell and getting a list of files and folders in the current working directory). This call takes an optional fourth parameter that is an array of just the required attributes. The newly introduced parameters attrsonly, sizelimit, timelimitand deref have exactly the same functionality as they have in the ldap_search()and ldap_read()functions. This function returns a search result identifier or false on error. ldap_count_entries() int ldap_count_entries(int link_identifier, int result_identifier) ldap_count_entries() returns the number of entries stored as a result of previous search operations (as a result of a search call). result_identifieridentifies the internal LDAP result. It returns falseon error. ldap_next_attribute() string ldap_next_attribute(int link_identifier, int result_entry_identifier, int &ber_identifier) ldap_next_attribute() is called to retrieve the attributes in an entry. The internal state of the pointer is maintained by the ber_identifier. It is passed by reference to the function. The first call to ldap_next_attribute() is made with the result_entry_identifierreturned from ldap_ first_attribute(). It returns the next attribute in an entry on success, and falseon error. ldap_next_entry() int ldap_next_entry(int link_identifier, int result_entry_identifier) This function returns the entry identifier for the next entry in the result whose entries are being read starting with ldap_first_entry(). Successive calls to ldap_next_entry() return entries one by one till there are no more entries. The first call to ldap_next_entry() is made after the call to ldap_ first_entry with the result_identifier as returned from the ldap_first_entry(). If there are no more entries in the result then it returns false. Modification Functions It must be remembered that modification of directory entries should not be as frequent as search operations or the performance of the server would degrade significantly. However, modification is necessary and the functions under this category even allow us to add and delete entries and attributes. ldap_add() int ldap_add(int link_identifier, string dn, array entry) The ldap_add()function adds new entries in to the directory. When adding or modifying an entry, the entry must have all of the required attributes and only allows attributes as specified by the LDAP server’s Page 507
Hint: If you are looking for good and high quality web space to host and run your java application check Vision java web hosting services

ldap_free_result() frees up the memory allocated internally to store the result of a previous search operation and pointed to by the result_identifier. Typically, all the memory allocated for the search result gets freed at the end of the script. In case the script is making successive searches that return large resultsets, ldap_free_result()could be called to keep the runtime memory usage by the script low. It returns true on success and falseon error. ldap_get_attributes() array ldap_get_attributes(int link_identifier, int result_entry_identifier) ldap_get_attributes() is used to simplify reading the attributes and values from an entry in the search result. The return value is a multi-dimensional array of attributes and values. Having located a specific entry in the directory, we can find out what information is held for that entry by using this call. We would use this call for an application that browses directory entries and/or where you do not know the structure of the directory entries. In many applications you will be searching for a specific attribute such as an e-mail address or a surname, and won’t care what other data is held. It returns a complete entry information in a multi-dimensional array on success, and falseon error. ldap_get_dn() string ldap_get_dn(int link_identifier, int result_entry_identifier) ldap_get_dn() is used to find out the DN of an entry in the result. It returns falseon error. ldap_get_entries() array ldap_get_entries(int link_identifier, int result_identifier) ldap_get_entries() is used to simplify reading multiple entries from the result and then reading the attributes and multiple values. The entire information is returned by one function call in a multidimensional array. The attribute index is converted to lowercase (attributes are case-insensitive for directory servers, but not when used as array indices). It returns the complete result information in a multi-dimensional array on success, and falseon error. ldap_get_values() array ldap_get_values(int link_identifier, int result_entry_identifier, string attribute) ldap_get_values() is used to read all the values of the attribute in the entry from the result. The entry is specified by the result_entry_identifier. The number of values in the entry is stored in an index called count in the resultant array. Individual values are accessed by an integer index in the array. The first index is 0. This call needs a result_entry_identifier, so needs to be preceded by one of the LDAP search calls and one of the calls to get an individual entry. Your application will either be hard coded to look for certain attributes (such as surname or mail) or you will have to use the ldap_get_attributes function to work out what attributes exist for a given entry. LDAP allows more than one entry for an attribute, so it can, for example, store a number of e-mail addresses for one person’s directory entry all labeled with the attribute mail. ldap_list() int ldap_list(int link_identifier, string base_dn, string filter Page 506
Note: If you are looking for best hosting provider to host and run your tomcat application check Astra tomcat hosting services

BASE, which is equivalent to reading an entry from the directory. An empty filter is not allowed. If you want to retrieve absolutely all information for this entry, use a filter of objectClass=*. If you know which entry types are used on the directory server, you might use an appropriate filter such as objectClass=inetOrgPerson. This call takes an optional fourth parameter, which is an array of the attributes required. It returns a search result identifier, or falseon error. The newly introduced parameters attrsonly, sizelimit, timelimit, and deref have exactly the same functionality as they have in the ldap_search() function. ldap_dn2ufn() string ldap_dn2ufn(string dn) ldap_dn2ufn() function is used to turn a DN into a more user-friendly form, stripping off type names of the attributes. For example the DN cn=Resident Geek, o=caffeinated, c=uk would be turned into Resident Geek, caffeinated, uk . ldap_explode_dn() array ldap_explode_dn(string dn, int with_attrib) ldap_explode_dn() splits a DN returned by ldap_get_dn() into its component parts, that is the RDNs. ldap_explode_dn()returns an array of all those components. with_attrib is used to request that the RDNs are returned with only values or their attributes as well. To get RDNs with attributes (attribute=value format), set with_attrib to 0, and to get only values set it to 1. ldap_first_attribute() string ldap_first_attribute(int link_identifier, int result_entry_identifier, int &ber_identifier); ldap_first_attribute() returns the first attribute in the entry pointed by the entry identifier. Remaining attributes are retrieved by calling ldap_next_attribute() successively. ber_identifier is an identifier to internal memory location pointer where all the results of this query are stored. It is passed by reference the & indicates this. The same ber_identifier is passed to the ldap_next_attribute()function, which reads the next entry and then updates the pointer to the next entry. ldap_first_entry() int ldap_first_entry(int link_identifier, int result_identifier) Entries in the LDAP result are read sequentially using the ldap_first_entry() and ldap_next_ entry() functions. ldap_first_entry() returns the entry identifier for first entry in the result. This entry identifier is then supplied to lap_next_entry() to get successive entries from the result. It returns the result entry identifier for the first entry on success or falseon error. ldap_free_result() boolean ldap_free_result(int result_identifier) Page 505

Hint: If you are looking for very good and affordable webspace to host and run your tomcat hosting application check Sandzak.com tomcat web hosting provider

search. . LDAP_DEREF_FINDING Aliases should be dereferenced when locating the base object but not during the search. ldap_compare() int ldap_compare(int link_identifier, string dn, string attribute, string value) ldap_compare() is used to compare the value of a string with an attribute of an entry in the directory specified by a DN. It takes a link identifier as the first parameter followed by the DN of the entry whose attribute is to be compared against, followed by the attribute itself and finally the string itself. It returns true if the attribute value matches the string exactly, false if not, and 1 if the comparison operation failed. However, this function cannot be used to compare binary values and is available only from PHP 4.0.2 and upwards: ldap_read() int ldap_read(int link_identifier, string base_dn, string filter [, array attributes [, int attrsonly [, int sizelimit [, int timelimit [, int deref]]]]]) ldap_read() performs the search for a specified filter on the directory with the scope LDAP_SCOPE_ Page 504
Note: If you are looking for good and quality webspace to host and run your java application check professional java hosting services