{ "content": [ { "type": "text", "text": "# Net::LDAP (perldoc)\n\n## NAME\n\nNet::LDAP - Lightweight Directory Access Protocol\n\n## SYNOPSIS\n\nuse Net::LDAP;\n$ldap = Net::LDAP->new( 'ldap.example.com' ) or die \"$@\";\n$mesg = $ldap->bind; # anonymous bind\n$mesg->code and die $mesg->error; # check for errors\n$srch = $ldap->search( base => \"c=US\", # perform a search\nfilter => \"(&(sn=Barr)(o=Texas Instruments))\"\n);\n$srch->code and die $srch->error; # check for errors\nforeach $entry ($srch->entries) { $entry->dump; }\n$mesg = $ldap->unbind; # take down session\n$ldap = Net::LDAP->new( 'ldaps://ldap.example.com' ) or die \"$@\";\n# simple bind with DN and password\n$mesg = $ldap->bind( 'cn=root, o=University of Michigan, c=us',\npassword => 'secret'\n);\n$mesg->code and die $mesg->error; # check for errors\n$result = $ldap->add( 'cn=Barbara Jensen, o=University of Michigan, c=US',\nattrs => [\ncn => ['Barbara Jensen', 'Barbs Jensen'],\nsn => 'Jensen',\nmail => 'b.jensen@umich.edu',\nobjectclass => ['top', 'person',\n'organizationalPerson',\n'inetOrgPerson' ],\n]\n);\n$result->code and warn \"failed to add entry: \", $result->error;\n$mesg = $ldap->unbind; # take down session\n\n## DESCRIPTION\n\nNet::LDAP is a collection of modules that implements a LDAP services API for Perl programs. The\nmodule may be used to search directories or perform maintenance functions such as adding,\ndeleting or modifying entries.\n\n## Sections\n\n- **NAME**\n- **SYNOPSIS**\n- **DESCRIPTION**\n- **CONSTRUCTOR**\n- **METHODS**\n- **CONTROLS**\n- **CALLBACKS**\n- **LDAP ERROR CODES**\n- **SEE ALSO**\n- **ACKNOWLEDGEMENTS**\n- **MAILING LIST**\n- **BUGS**\n- **AUTHOR**\n- **COPYRIGHT**\n\nUse structuredContent.sections for detailed options, examples, and full documentation.\n" } ], "structuredContent": { "command": "Net::LDAP", "section": "", "mode": "perldoc", "summary": "Net::LDAP - Lightweight Directory Access Protocol", "synopsis": "use Net::LDAP;\n$ldap = Net::LDAP->new( 'ldap.example.com' ) or die \"$@\";\n$mesg = $ldap->bind; # anonymous bind\n$mesg->code and die $mesg->error; # check for errors\n$srch = $ldap->search( base => \"c=US\", # perform a search\nfilter => \"(&(sn=Barr)(o=Texas Instruments))\"\n);\n$srch->code and die $srch->error; # check for errors\nforeach $entry ($srch->entries) { $entry->dump; }\n$mesg = $ldap->unbind; # take down session\n$ldap = Net::LDAP->new( 'ldaps://ldap.example.com' ) or die \"$@\";\n# simple bind with DN and password\n$mesg = $ldap->bind( 'cn=root, o=University of Michigan, c=us',\npassword => 'secret'\n);\n$mesg->code and die $mesg->error; # check for errors\n$result = $ldap->add( 'cn=Barbara Jensen, o=University of Michigan, c=US',\nattrs => [\ncn => ['Barbara Jensen', 'Barbs Jensen'],\nsn => 'Jensen',\nmail => 'b.jensen@umich.edu',\nobjectclass => ['top', 'person',\n'organizationalPerson',\n'inetOrgPerson' ],\n]\n);\n$result->code and warn \"failed to add entry: \", $result->error;\n$mesg = $ldap->unbind; # take down session", "tldr_summary": null, "tldr_examples": [], "tldr_source": null, "flags": [], "examples": [], "see_also": [], "section_outline": [ { "name": "NAME", "lines": 2, "subsections": [] }, { "name": "SYNOPSIS", "lines": 43, "subsections": [] }, { "name": "DESCRIPTION", "lines": 6, "subsections": [] }, { "name": "CONSTRUCTOR", "lines": 98, "subsections": [] }, { "name": "METHODS", "lines": 645, "subsections": [] }, { "name": "CONTROLS", "lines": 20, "subsections": [] }, { "name": "CALLBACKS", "lines": 14, "subsections": [] }, { "name": "LDAP ERROR CODES", "lines": 3, "subsections": [] }, { "name": "SEE ALSO", "lines": 5, "subsections": [] }, { "name": "ACKNOWLEDGEMENTS", "lines": 6, "subsections": [] }, { "name": "MAILING LIST", "lines": 3, "subsections": [] }, { "name": "BUGS", "lines": 4, "subsections": [] }, { "name": "AUTHOR", "lines": 2, "subsections": [] }, { "name": "COPYRIGHT", "lines": 3, "subsections": [] } ], "sections": { "NAME": { "content": "Net::LDAP - Lightweight Directory Access Protocol\n", "subsections": [] }, "SYNOPSIS": { "content": "use Net::LDAP;\n\n$ldap = Net::LDAP->new( 'ldap.example.com' ) or die \"$@\";\n\n$mesg = $ldap->bind; # anonymous bind\n\n$mesg->code and die $mesg->error; # check for errors\n\n$srch = $ldap->search( base => \"c=US\", # perform a search\nfilter => \"(&(sn=Barr)(o=Texas Instruments))\"\n);\n\n$srch->code and die $srch->error; # check for errors\n\nforeach $entry ($srch->entries) { $entry->dump; }\n\n$mesg = $ldap->unbind; # take down session\n\n\n$ldap = Net::LDAP->new( 'ldaps://ldap.example.com' ) or die \"$@\";\n\n# simple bind with DN and password\n$mesg = $ldap->bind( 'cn=root, o=University of Michigan, c=us',\npassword => 'secret'\n);\n\n$mesg->code and die $mesg->error; # check for errors\n\n$result = $ldap->add( 'cn=Barbara Jensen, o=University of Michigan, c=US',\nattrs => [\ncn => ['Barbara Jensen', 'Barbs Jensen'],\nsn => 'Jensen',\nmail => 'b.jensen@umich.edu',\nobjectclass => ['top', 'person',\n'organizationalPerson',\n'inetOrgPerson' ],\n]\n);\n\n$result->code and warn \"failed to add entry: \", $result->error;\n\n$mesg = $ldap->unbind; # take down session\n", "subsections": [] }, "DESCRIPTION": { "content": "Net::LDAP is a collection of modules that implements a LDAP services API for Perl programs. The\nmodule may be used to search directories or perform maintenance functions such as adding,\ndeleting or modifying entries.\n\nThis document assumes that the reader has some knowledge of the LDAP protocol.\n", "subsections": [] }, "CONSTRUCTOR": { "content": "new ( HOST, OPTIONS )\nCreates a new Net::LDAP object and opens a connection to the named host.\n\n\"HOST\" may be a host name or an IP address. TCP port may be specified after the host name\nfollowed by a colon (such as localhost:10389). The default TCP port for LDAP is 389.\n\nYou can also specify a URI, such as 'ldaps://127.0.0.1:666' or\n'ldapi://%2fvar%2flib%2fldapsock'. Note that '%2f's in the LDAPI socket path will be\ntranslated into '/'. This is to support LDAP query options like base, search etc. although\nthe query part of the URI will be ignored in this context. If port was not specified in the\nURI, the default is either 389 or 636 for 'LDAP' and 'LDAPS' schemes respectively.\n\n\"HOST\" may also be a reference to an array of hosts, host-port pairs or URIs to try. Each\nwill be tried in order until a connection is made. Only when all have failed will the result\nof \"undef\" be returned.\n\nport => N\nPort to connect to on the remote server. May be overridden by \"HOST\".\n\nscheme => 'ldap' | 'ldaps' | 'ldapi'\nConnection scheme to use when not using an URI as \"HOST\". (Default: ldap)\n\nkeepalive => 1\nIf given, set the socket's SOKEEPALIVE option depending on the Boolean value of the\noption. (Default: use system default)\n\nFailures in changing the socket's SOKEEPALIVE option are ignored.\n\ntimeout => N\nTimeout passed to IO::Socket when connecting the remote server. (Default: 120)\n\nmultihomed => N\nWill be passed to IO::Socket as the \"MultiHomed\" parameter when connecting to the remote\nserver\n\nlocaladdr => HOST\nWill be passed to IO::Socket as the \"LocalAddr\" parameter, which sets the client's IP\naddress (as opposed to the server's IP address.)\n\ndebug => N\nSet the debug level. See the debug method for details.\n\nasync => 1\nPerform all operations asynchronously.\n\nonerror => 'die' | 'warn' | 'undef' | sub { ... }\nIn synchronous mode, change what happens when an error is detected.\n\n'die'\nNet::LDAP will croak whenever an error is detected.\n\n'warn'\nNet::LDAP will warn whenever an error is detected.\n\n'undef'\nNet::LDAP will warn whenever an error is detected and \"-w\" is in effect. The method\nthat was called will return \"undef\".\n\nNote this value is the string 'undef', not the \"undef\" value.\n\nsub { ... }\nThe given sub will be called in a scalar context with a single argument, the result\nmessage. The value returned will be the return value for the method that was called.\n\nversion => N\nSet the protocol version being used (default is LDAPv3). This is useful if you want to\ntalk to an old server and therefore have to use LDAPv2.\n\nraw => REGEX\nUse REGEX to denote the names of attributes that are to be considered binary in search\nresults.\n\nWhen this option is given, Net::LDAP converts all values of attributes not matching this\nREGEX into Perl UTF-8 strings so that the regular Perl operators (pattern matching, ...)\ncan operate as one expects even on strings with international characters.\n\nIf this option is not given, attribute values are treated as byte strings.\n\nExample: raw => qr/(?i:^jpegPhoto|;binary)/\n\ninet4 => N\ninet6 => N\nTry to connect to the server using the specified IP protocol only, i.e. either IPv4 or\nIPv6. If the protocol selected is not supported, connecting will fail.\n\nThe default is to use any of the two protocols.\n\nExample\n\n$ldap = Net::LDAP->new( 'remote.host', async => 1 );\n\nLDAPS connections have some extra valid options, see the starttls method for details. Note\nthe default port for LDAPS is 636, and the default value for 'sslversion' is the value used\nas default by IO::Socket::SSL.\n\nFor LDAPI connections, HOST is actually the location of a UNIX domain socket to connect to.\nThe default location is '/var/run/ldapi'.\n", "subsections": [] }, "METHODS": { "content": "Each of the following methods take as arguments some number of fixed parameters followed by\noptions, these options are passed in a named fashion, for example\n\n$mesg = $ldap->bind( \"cn=me,o=example\", password => \"mypasswd\");\n\nThe return value from these methods is an object derived from the Net::LDAP::Message class. The\nmethods of this class allow you to examine the status of the request.\n\nabandon ( ID, OPTIONS )\nAbandon a previously issued request. \"ID\" may be a number or an object which is a sub-class\nof Net::LDAP::Message, returned from a previous method call.\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below\n\nExample\n\n$res = $ldap->search( @searchargs );\n\n$mesg = $ldap->abandon( $res ); # This could be written as $res->abandon\n\nadd ( DN, OPTIONS )\nAdd a new entry to the directory. \"DN\" can be either a Net::LDAP::Entry object or a string.\n\nattrs => [ ATTR => VALUE, ... ]\n\"VALUE\" should be a string if only a single value is wanted, or a reference to an array\nof strings if multiple values are wanted.\n\nThis argument is not used if \"DN\" is a Net::LDAP::Entry object.\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below\n\nExample\n\n# $entry is an object of class Net::LDAP::Entry\n$mesg = $ldap->add( $entry );\n\n$mesg = $ldap->add( $dn,\nattrs => [\nname => 'Graham Barr',\nattr => 'value1',\nattr => 'value2',\nmulti => [qw(value1 value2)]\n]\n);\n\nbind ( DN, OPTIONS )\nBind (log in) to the server. \"DN\" is the DN to bind with. An anonymous bind may be done by\ncalling bind without any arguments.\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below\n\nnoauth | anonymous => 1\nBind without any password. The value passed with this option is ignored.\n\npassword => PASSWORD\nBind with the given password.\n\nsasl => SASLOBJ\nBind using a SASL mechanism. The argument given should be a sub-class of Authen::SASL or\nan Authen::SASL client connection by calling \"clientnew\" on an Authen::SASL object.\n\nIf passed an Authen::SASL object then \"clientnew\" will be called to create a client\nconnection object. The hostname passed by \"Net::LDAP\" to \"clientnew\" can be set using\nthe \"saslhost\" option below. If this is not correct for your environment, consider\ncalling \"clientnew\" yourself and passing the client connection object as \"SASLOBJ\".\n\nsaslhost => SASLHOST\nWhen binding using SASL, allow the hostname used in the SASL communication to differ\nfrom the hostname connected to.\n\nIf \"SASLHOST\" evaluates to TRUE, then it is used as the SASL hostname.\n\nIf it evaluates to FALSE, then the value is determined by calling \"peerhost\" on the\nsocket. In older versions of Net::LDAP this was the standard behaviour, but it turned\nout to cause more trouble than it fixed.\n\nWhen the option is not given, the SASL host name used defaults to the host name / IP\naddress taken from the \"HOST\" parameter when connecting.\n\nExample\n\n$mesg = $ldap->bind; # Anonymous bind\n\n$mesg = $ldap->bind( $dn, password => $password );\n\n# $sasl is an object of class Authen::SASL\n$mesg = $ldap->bind( $dn, sasl => $sasl, version => 3 );\n\ncompare ( DN, OPTIONS )\nCompare values in an attribute in the entry given by \"DN\" on the server. \"DN\" may be a\nstring or a Net::LDAP::Entry object.\n\nattr => ATTR\nThe name of the attribute to compare.\n\nvalue => VALUE\nThe value to compare with.\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below.\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below.\n\nExample\n\n$mesg = $ldap->compare( $dn,\nattr => 'cn',\nvalue => 'Graham Barr'\n);\n\ndelete ( DN, OPTIONS )\nDelete the entry given by \"DN\" from the server. \"DN\" may be a string or a Net::LDAP::Entry\nobject.\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below.\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below.\n\nExample\n\n$mesg = $ldap->delete( $dn );\n\nmoddn ( DN, OPTIONS )\nRename the entry given by \"DN\" on the server. \"DN\" may be a string or a Net::LDAP::Entry\nobject.\n\nnewrdn => RDN\nThis value should be a new RDN to assign to \"DN\".\n\ndeleteoldrdn => 1\nThis option should be passed if the existing RDN is to be deleted.\n\nnewsuperior => NEWDN\nIf given this value should be the DN of the new superior for \"DN\".\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below.\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below.\n\nExample\n\n$mesg = $ldap->moddn( $dn, newrdn => 'cn=Graham Barr' );\n\nmodify ( DN, OPTIONS )\nModify the contents of the entry given by \"DN\" on the server. \"DN\" may be a string or a\nNet::LDAP::Entry object.\n\nadd => { ATTR => VALUE, ... }\nAdd more attributes or values to the entry. \"VALUE\" should be a string if only a single\nvalue is wanted in the attribute, or a reference to an array of strings if multiple\nvalues are wanted.\n\n$mesg = $ldap->modify( $dn,\nadd => {\ndescription => 'List of members', # Add description attribute\nmember => [\n'cn=member1,ou=people,dc=example,dc=com', # Add to attribute\n'cn=member2,ou=people,dc=example,dc=com',\n]\n}\n);\n\ndelete => [ ATTR, ... ]\nDelete complete attributes from the entry.\n\n$mesg = $ldap->modify( $dn,\ndelete => ['member','description'] # Delete attributes\n);\n\ndelete => { ATTR => VALUE, ... }\nDelete individual values from an attribute. \"VALUE\" should be a string if only a single\nvalue is being deleted from the attribute, or a reference to an array of strings if\nmultiple values are being deleted.\n\nIf \"VALUE\" is a reference to an empty array or all existing values of the attribute are\nbeing deleted, then the attribute will be deleted from the entry.\n\n$mesg = $ldap->modify( $dn,\ndelete => {\ndescription => 'List of members',\nmember => [\n'cn=member1,ou=people,dc=example,dc=com', # Remove members\n'cn=member2,ou=people,dc=example,dc=com',\n],\nseeAlso => [], # Remove attribute\n}\n);\n\nreplace => { ATTR => VALUE, ... }\nReplace any existing values in each given attribute with \"VALUE\". \"VALUE\" should be a\nstring if only a single value is wanted in the attribute, or a reference to an array of\nstrings if multiple values are wanted. A reference to an empty array will remove the\nentire attribute. If the attribute does not already exist in the entry, it will be\ncreated.\n\n$mesg = $ldap->modify( $dn,\nreplace => {\ndescription => 'New List of members', # Change the description\nmember => [ # Replace whole list with these\n'cn=member1,ou=people,dc=example,dc=com',\n'cn=member2,ou=people,dc=example,dc=com',\n],\nseeAlso => [], # Remove attribute\n}\n);\n\nincrement => { ATTR => VALUE, ... }\nAtomically increment the existing value in each given attribute by the provided \"VALUE\".\nThe attributes need to have integer syntax, or be otherwise \"incrementable\". Note this\nwill only work if the server advertises support for LDAPFEATUREMODIFYINCREMENT. Use\n\"supportedfeature\" in Net::LDAP::RootDSE to check this.\n\n$mesg = $ldap->modify( $dn,\nincrement => {\nuidNumber => 1 # increment uidNumber by 1\n}\n);\n\nchanges => [ OP => [ ATTR => VALUE ], ... ]\nThis is an alternative to add, delete, replace and increment where the whole operation\ncan be given in a single argument. \"OP\" should be add, delete, replace or increment.\n\"VALUE\" should be either a string or a reference to an array of strings, as before.\n\nUse this form if you want to control the order in which the operations will be\nperformed.\n\n$mesg = $ldap->modify( $dn,\nchanges => [\nadd => [\ndescription => 'A description',\nmember => $newMember,\n],\ndelete => [\nseeAlso => [],\n],\nadd => [\nanotherAttribute => $value,\n],\n]\n);\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below.\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below.\n\nExample\n\n$mesg = $ldap->modify( $dn, add => { sn => 'Barr' } );\n\n$mesg = $ldap->modify( $dn, delete => [qw(faxNumber)] );\n\n$mesg = $ldap->modify( $dn, delete => { 'telephoneNumber' => '911' } );\n\n$mesg = $ldap->modify( $dn, replace => { 'mail' => 'gbarr@pobox.com' } );\n\n$mesg = $ldap->modify( $dn,\nchanges => [\n# add sn=Barr\nadd => [ sn => 'Barr' ],\n# delete all fax numbers\ndelete => [ faxNumber => []],\n# delete phone number 911\ndelete => [ telephoneNumber => ['911']],\n# change email address\nreplace => [ mail => 'gbarr@pobox.com']\n]\n);\n\nsearch ( OPTIONS )\nSearch the directory using a given filter. This can be used to read attributes from a single\nentry, from entries immediately below a particular entry, or a whole subtree of entries.\n\nThe result is an object of class Net::LDAP::Search.\n\nbase => DN\nThe DN that is the base object entry relative to which the search is to be performed.\n\nscope => 'base' | 'one' | 'sub' | 'subtree' | 'children'\nBy default the search is performed on the whole tree below the specified base object.\nThis maybe changed by specifying a \"scope\" parameter with one of the following values:\n\nbase\nSearch only the base object.\n\none Search the entries immediately below the base object.\n\nsub\nsubtree\nSearch the whole tree below (and including) the base object. This is the default.\n\nchildren\nSearch the whole subtree below the base object, excluding the base object itself.\n\nNote: *children* scope requires LDAPv3 subordinate feature extension.\n\nderef => 'never' | 'search' | 'find' | 'always'\nBy default aliases are dereferenced to locate the base object for the search, but not\nwhen searching subordinates of the base object. This may be changed by specifying a\n\"deref\" parameter with one of the following values:\n\nnever\nDo not dereference aliases in searching or in locating the base object of the\nsearch.\n\nsearch\nDereference aliases in subordinates of the base object in searching, but not in\nlocating the base object of the search.\n\nfind\nDereference aliases in locating the base object of the search, but not when\nsearching subordinates of the base object. This is the default.\n\nalways\nDereference aliases both in searching and in locating the base object of the search.\n\nsizelimit => N\nA sizelimit that restricts the maximum number of entries to be returned as a result of\nthe search. A value of 0, and the default, means that no restriction is requested.\nServers may enforce a maximum number of entries to return.\n\ntimelimit => N\nA timelimit that restricts the maximum time (in seconds) allowed for a search. A value\nof 0 (the default), means that no timelimit will be requested.\n\ntypesonly => 1\nOnly attribute types (no values) should be returned. Normally attribute types and values\nare returned.\n\nfilter => FILTER\nA filter that defines the conditions an entry in the directory must meet in order for it\nto be returned by the search. This may be a string or a Net::LDAP::Filter object. Values\ninside filters may need to be escaped to avoid security problems; see Net::LDAP::Filter\nfor a definition of the filter format, including the escaping rules.\n\nattrs => [ ATTR, ... ]\nA list of attributes to be returned for each entry that matches the search filter.\n\nIf not specified, then the server will return the attributes that are specified as\naccessible by default given your bind credentials.\n\nCertain additional attributes such as \"createTimestamp\" and other operational attributes\nmay also be available for the asking:\n\n$mesg = $ldap->search( ... ,\nattrs => ['createTimestamp']\n);\n\nTo retrieve the default attributes and additional ones, use '*'.\n\n$mesg = $ldap->search( ... ,\nattrs => ['*', 'createTimestamp']\n);\n\nTo retrieve no attributes (the server only returns the DNs of matching entries), use\n'1.1':\n\n$mesg = $ldap->search( ... ,\nattrs => ['1.1']\n);\n\ncontrol => CONTROL\ncontrol => [ CONTROL, ... ]\nSee \"CONTROLS\" below.\n\ncallback => CALLBACK\nSee \"CALLBACKS\" below.\n\nraw => REGEX\nUse REGEX to denote the names of attributes that are to be considered binary in search\nresults.\n\nWhen this option is given, Net::LDAP converts all values of attributes not matching this\nREGEX into Perl UTF-8 strings so that the regular Perl operators (pattern matching, ...)\ncan operate as one expects even on strings with international characters.\n\nIf this option is not given, attribute values are treated as byte strings.\n\nThe value provided here overwrites the value inherited from the constructor.\n\nExample: raw => qr/(?i:^jpegPhoto|;binary)/\n\nExample\n\n$mesg = $ldap->search(\nbase => $basedn,\nscope => 'sub',\nfilter => '(|(objectclass=rfc822mailgroup)(sn=jones))'\n);\n\nNet::LDAP::LDIF->new( \\*STDOUT,\"w\" )->write( $mesg->entries );\n\nstarttls ( OPTIONS )\nCalling this method will convert the existing connection to using Transport Layer Security\n(TLS), which provides an encrypted connection. This is *only* possible if the connection\nuses LDAPv3, and requires that the server advertises support for LDAPEXTENSIONSTARTTLS.\nUse \"supportedextension\" in Net::LDAP::RootDSE to check this.\n\nverify => 'none' | 'optional' | 'require'\nHow to verify the server's certificate:\n\nnone\nThe server may provide a certificate but it will not be checked - this may mean you\nare be connected to the wrong server\n\noptional\nVerify only when the server offers a certificate\n\nrequire\nThe server must provide a certificate, and it must be valid.\n\nIf you set verify to optional or require, you must also set either cafile or capath. The\nmost secure option is require.\n\nsslversion => 'sslv2' | 'sslv3' | 'sslv23' | 'tlsv1' | 'tlsv11' | 'tlsv12'\nThis defines the version of the SSL/TLS protocol to use. Default is to use the value\nthat IO::Socket::SSL uses as default.\n\nSee \"SSLversion\" in IO::Socket::SSL for more details.\n\nsslserver => SSLHOST\nAllow changing the server name to use in certificate hostname verification in case the\ntarget hostname does not match the LDAP server's certificate. If not given it defaults\nto the name of the HOST connected to.\n\nSee \"SSLverifycnname\" in IO::Socket::SSL for more details.\n\nciphers => CIPHERS\nSpecify which subset of cipher suites are permissible for this connection, using the\nstandard OpenSSL string format. The default behavior is to keep the decision on the\nunderlying cryptographic library.\n\nclientcert => '/path/to/cert.pem'\nclientkey => '/path/to/key.pem'\nkeydecrypt => sub { ... }\nIf you want to use the client to offer a certificate to the server for SSL\nauthentication (which is not the same as for the LDAP Bind operation) then set\nclientcert to the user's certificate file, and clientkey to the user's private key file.\nThese files must be in PEM format.\n\nIf the private key is encrypted (highly recommended) then keydecrypt should be a\nsubroutine that returns the decrypting key. For example:\n\n$ldap = Net::LDAP->new( 'myhost.example.com', version => 3 );\n$mesg = $ldap->starttls(\nverify => 'require',\nclientcert => 'mycert.pem',\nclientkey => 'mykey.pem',\nkeydecrypt => sub { 'secret'; },\ncapath => '/usr/local/cacerts/'\n);\n\ncapath => '/path/to/servercerts/'\ncafile => '/path/to/servercert.pem'\nWhen verifying the server's certificate, either set capath to the pathname of the\ndirectory containing CA certificates, or set cafile to the filename containing the\ncertificate of the CA who signed the server's certificate. These certificates must all\nbe in PEM format.\n\nThe directory in 'capath' must contain certificates named using the hash value of the\ncertificates' subject names. To generate these names, use OpenSSL like this in Unix:\n\nln -s cacert.pem `openssl x509 -hash -noout < cacert.pem`.0\n\n(assuming that the certificate of the CA is in cacert.pem.)\n\ncheckcrl => 1\nIf capath has been configured, then it will also be searched for certificate revocation\nlists (CRLs) when verifying the server's certificate. The CRLs' names must follow the\nform hash.rnum where hash is the hash over the issuer's DN and num is a number starting\nwith 0.\n\nSee \"SSLcheckcrl\" in IO::Socket::SSL for further information.\n\nunbind ( )\nThe unbind method does not take any parameters and will unbind you from the server. Some\nservers may allow you to re-bind or perform other operations after unbinding. If you wish to\nswitch to another set of credentials while continuing to use the same connection, re-binding\nwith another DN and password, without unbind-ing, will generally work.\n\nExample\n\n$mesg = $ldap->unbind;\n\ndone ( )\nConvenience alias for \"unbind()\", named after the clean-up method of Net::LDAP::LDIF.\n\nThe following methods are for convenience, and do not return \"Net::LDAP::Message\" objects.\n\nasync ( VALUE )\nIf \"VALUE\" is given the async mode will be set. The previous value will be returned. The\nvalue is *true* if LDAP operations are being performed asynchronously.\n\ncertificate ( )\nReturns an X509Certificate object containing the server's certificate. See the\nIO::Socket::SSL documentation for information about this class.\n\nFor example, to get the subject name (in a peculiar OpenSSL-specific format, different from\nRFC 1779 and RFC 4514) from the server's certificate, do this:\n\nprint \"Subject DN: \" . $ldaps->certificate->subjectname . \"\\n\";\n\ncipher ( )\nReturns the cipher mode being used by the connection, in the string format used by OpenSSL.\n\ndebug ( VALUE )\nIf \"VALUE\" is given the debug bit-value will be set. The previous value will be returned.\nDebug output will be sent to \"STDERR\". The bits of this value are:\n\n1 Show outgoing packets (using asnhexdump).\n2 Show incoming packets (using asnhexdump).\n4 Show outgoing packets (using asndump).\n8 Show incoming packets (using asndump).\n\nThe default value is 0.\n\ndisconnect ( )\nDisconnect from the server\n\nrootdse ( OPTIONS )\nThe rootdse method retrieves cached information from the server's rootDSE.\n\nattrs => [ ATTR, ... ]\nA reference to a list of attributes to be returned. If not specified, then the following\nattributes will be requested\n\nsubschemaSubentry\nnamingContexts\naltServer\nsupportedExtension\nsupportedFeatures\nsupportedControl\nsupportedSASLMechanisms\nsupportedLDAPVersion\n\nThe result is an object of class Net::LDAP::RootDSE.\n\nExample\n\nmy $root = $ldap->rootdse;\n# get naming Context\n$root->getvalue( 'namingContexts', asref => 1 );\n# get supported LDAP versions\n$root->supportedversion;\n\nAs the root DSE may change in certain circumstances - for instance when you change the\nconnection using starttls - you should always use the rootdse method to return the most\nup-to-date copy of the root DSE.\n\nschema ( OPTIONS )\nRead schema information from the server.\n\nThe result is an object of class Net::LDAP::Schema. Read this documentation for further\ninformation about methods that can be performed with this object.\n\ndn => DN\nIf a DN is supplied, it will become the base object entry from which the search for\nschema information will be conducted. If no DN is supplied the base object entry will be\ndetermined from the rootDSE entry.\n\nExample\n\nmy $schema = $ldap->schema;\n# get objectClasses\n@ocs = $schema->allobjectclasses;\n# Get the attributes\n@atts = $schema->allattributes;\n\nsasl ( )\nReturns the \"Authen::SASL\" object associated with the LDAP object, or \"undef\" if there\nisn't.\n\nsocket ( OPTIONS )\nReturns the underlying socket object being used.\n\nThe exact object type returned depends on whether SASL layers are established. Without SASL\nlayers the result is always an \"IO::Socket\" object; with SASL layers the outcome depends on\nthe options given:\n\nsasllayer => FLAG\nThis option is only relevant if SASL layers are established.\n\nIf it it missing or if is set to a TRUE value, then the SASL layer handle is returned.\nDepending on the SASL library used, the object returned is not necessarily an\n\"IO::Socket\" object.\n\nIf it exists, but is set to a value evaluating to FALSE, then the base \"IO::Socket\"\nobject underneath the SASL layer is returned.\n\nhost ( )\nReturns the host to which the connection was established. For LDAPI connections the socket\npath is returned.\n\nport ( )\nReturns the port connected to or \"undef\" in case of LDAPI connections.\n\nuri ( )\nReturns the URI connected to.\n\nAs the value returned is that element of the constructor's HOST argument with which the\nconnection was established this may or may not be a legal URI.\n\nscheme ( )\nReturns the scheme of the connection. One of *ldap*, *ldaps* or *ldapi*.\n\nsync ( MESG )\nWait for a given \"MESG\" request to be completed by the server. If no \"MESG\" is given, then\nwait for all outstanding requests to be completed.\n\nReturns an error code defined in Net::LDAP::Constant.\n\nprocess ( MESG )\nProcess any messages that the server has sent, but do not block. If \"MESG\" is specified then\nreturn as soon as \"MESG\" has been processed.\n\nReturns an error code defined in Net::LDAP::Constant.\n\nversion ( )\nReturns the version of the LDAP protocol that is being used.\n", "subsections": [] }, "CONTROLS": { "content": "Many of the methods described above accept a control option. This allows the user to pass\ncontrols to the server as described in LDAPv3.\n\nA control is a reference to a HASH and should contain the three elements below. If any of the\ncontrols are blessed then the method \"toasn\" will be called which should return a reference to\na HASH containing the three elements described below.\n\nFor most purposes Net::LDAP::Control objects are the easiest way to generate controls.\n\ntype => OID\nThis element must be present and is the name of the type of control being requested.\n\ncritical => FLAG\ncritical is optional and should be a Boolean value, if it is not specified then it is\nassumed to be *false*.\n\nvalue => VALUE\nIf the control being requested requires a value then this element should hold the value for\nthe server.\n", "subsections": [] }, "CALLBACKS": { "content": "Most of the above commands accept a callback option. This option should be a reference to a\nsubroutine. This subroutine will be called for each packet received from the server as a\nresponse to the request sent.\n\nWhen the subroutine is called the first argument will be the Net::LDAP::Message object which was\nreturned from the method.\n\nIf the request is a search then multiple packets can be received from the server. Each entry is\nreceived as a separate packet. For each of these the subroutine will be called with a\nNet::LDAP::Entry object as the second argument.\n\nDuring a search the server may also send a list of references. When such a list is received then\nthe subroutine will be called with a Net::LDAP::Reference object as the second argument.\n", "subsections": [] }, "LDAP ERROR CODES": { "content": "Net::LDAP also exports constants for the error codes that can be received from the server, see\nNet::LDAP::Constant.\n", "subsections": [] }, "SEE ALSO": { "content": "Net::LDAP::Constant, Net::LDAP::Control, Net::LDAP::Entry, Net::LDAP::Filter,\nNet::LDAP::Message, Net::LDAP::Reference, Net::LDAP::Search, Net::LDAP::RFC\n\nThe homepage for the perl-ldap modules can be found at http://ldap.perl.org/.\n", "subsections": [] }, "ACKNOWLEDGEMENTS": { "content": "This document is based on a document originally written by Russell Fulton\n.\n\nChris Ridd for the many hours spent testing and contribution of the ldap*\ncommand line utilities.\n", "subsections": [] }, "MAILING LIST": { "content": "A discussion mailing list is hosted by the Perl Foundation at No\nsubscription is necessary!\n", "subsections": [] }, "BUGS": { "content": "We hope you do not find any, but if you do please report them to the mailing list.\n\nIf you have a patch, please send it as an attachment to the mailing list.\n", "subsections": [] }, "AUTHOR": { "content": "Graham Barr \n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright (c) 1997-2004 Graham Barr. All rights reserved. This program is free software; you can\nredistribute it and/or modify it under the same terms as Perl itself.\n", "subsections": [] } } } }