LDAP stands for Lightweight Directory Access Protocol. In one line, LDAP is a lightweight protocol for accessing directory servers or in other words, for accessing existing online directory services. The advantage of LDAP over the previous leading standards for directory services is that it can use the simpler TCP/IP networking stack where as previous leading standards like X.500 was more complicated and required use of OSI network stack rather than TCP/IP.

What is LDAP?

Before going deep into LDAP, let me explain what directory servers really mean. In technical words, directory servers can be referred to as a hierarchical object oriented database. A directory is similar to a database in the way that it can store data in a structural way, but it tends to be normally more descriptive. The difference is that it does not involve the complicated activities done on a database like transactions or rollback. Normally, a directory is mostly used to read information from it rather than writing information to it.  In actual practice, those are tuned to return a quick response to search operations performed on them.

Conceptually, a directory is a collection of objects which are derived from a particular class. It is the class which defines what attributes can be present within an object. Programmers acquainted with object oriented programming may easily understand it. Similar to object oriented concept, classes here also can inherit form other classes, and the attributes of the class from which the second class gets inherited, get added to the attribute of an object derived form the first class. Every object in LDAP can contain sub-objects resulting in a tree like structure.

The objects in LDAP can have more than one class. This is where LDAP deviates from OO concept. Classes are assigned to objects using the "objectClass" attribute. Classes can be defined as three types.

Structural class - Structural classes tend to map to physical objects. An object can have only one structural class and it must have the structural class. Once the structural class for an object has been defined, the structural class cannot be changed for that particular object unless and until the object is destroyed and created again.

Auxiliary class - These normally define the additional attributes for the structural class. Objects can have many auxiliary classes and these auxiliary classes, unlike structural classes, can be added and removed after the object has been created.

Abstract classes -These classes cannot be used directly by objects. These can be used by other classes through inheritance.

The basic elements of an LDAP directory are below.

Entry - It forms the basic information object and is composed of one or more attributes.

Attribute - The attributes of an object are basically key-value pairs. But it is required for the objects to contain only valid key. Key is valid or not is dependent on the class from which the object is derived. Normally classes define some required or mandatory attributes, some optional attributes and their types for an object. LDAP contains several classes and one object can get derived from more than one class.

Distinguished Name (DN) - It represents the unique name used to refer to a particular object in the tree. It is made up from the DN of the parent object and RDN of the entry. An RDN identifies the entry among the children of its parent entry. The RDN's are separated by commas and optional spaces. It is possible to have multi-attribute distinguished names by putting a "+" between the attributes.

Schema – The directory schema defines a set or rules for storing data in a directory. It basically defines the directory's object class and attributes type. We have already discussed object classes in detail above. A schema attribute type basically defines the attributes type name and its unique ID, attribute's syntax and matching types. It can also define whether the type is single or multi valued.

Let us look at an example. A common use of LDAP is an address book. For this we can use the structural class called "person" which defines sn (surname) and cn (commonname) as the required attributes. The optional attributes provided by this class are telephoneNumber, seeAlso and description. If we want to store addresses, we need to use "organizationalPerson" class which derives from "person" class and adds several more attributes like title, street, postalAddress, postalCode, etc. And since it derives from person class, we still have the sn and cn attributes.

For making use of LDAP, we need to use cfldap tag. This tag allows performing various operations on LDAP directories (using the action attribute of cfldap tag).

Retrieve attribute values from a directory – action = "query"

Add an entry to a directory – action = "add"

Delete an entry to a directory – action = "delete"

Modify i.e. add, change or delete the value of an attribute – action = "modify"

Rename a directory entry – action = "modifyDN"

Querying an LDAP Directory using <cfldap> tag

The cfldap tag allows searching of an LDAP directory and the result returned can be treated as a query object. While querying an LDAP directory, we can specify “from where to start the search” using the start attribute and “search criteria” using the filter attribute. The scope attribute is used to limit the search scope. Default scope is one level below the DN specified in the start attribute and it does not include the entry identified by the start attribute. It is possible to restrict the query to the level of start entry or extend it below the start entry to the entire subtree. The search filter value has the form of attribute operator. By default, it uses objectclass=* which returns all the entries in the scope. Various different filter criteria or patterns can be provided. It also supports Boolean operators for specifying more than one value. If the pattern provided contains a parenthesis, backslash, asterisk or null character, we need to specify the escape sequences for those.

Examples:

filter = "o=*go*" – Organization names containing and including the exact string "go"

filter = "& (&(o=google) (co=usa))" – Organization name is "google" and country is "usa"

The sort attribute allows us to sort the return query object. By default, Coldfusion returns the result in case-sensitive ascending order. The sortControl attribute can be used for sorting in descending order or case-insensitive order. The timeout and maxRows attributes can be used to control the performance by specifying the maximum number of entries and exiting after a certain time limit if the server does not respond. If we specify the attributes parameter as "attributes=’*”," we get back all the attributes, but we can limit the attributes being returned by the query by specifying the names of the attributes like sn, cn, etc.

Example of using LDAP in ColdFusion

Listing 1

<html>
<head>
<title>Login Demo</title>
      </head>
      <body>
            <cfform name="demo" action="login.cfm" method="post">
                  <table>
                        <tr>
                              <td>User Name</td>
                              <td>
                                    <cfinput type="text" name="userName" 
                                      id="userName">
                              </td>
                        </tr>
                        <tr>
                              <td>Password</td>
                              <td>
                                    <cfinput type="password" name="password" 
                                      id="password"/>
                              </td>
                        </tr>
                        <tr>
                              <td colspan="2">
                                    <cfinput type="submit" id="login" name="login" 
                                      value="Login" />
                              </td>
                        </tr>
                  </table>
            </cfform>
      </body>
</html>
 
<cfif IsDefined('form.login')>
      <cfif IsDefined('form.userName')>
            <cfif IsDefined('form.password')>
 
                        <cftry>
                              <cfldap 
                                server="hostname or IP address of the LDAP server"
                                action="query"
                                name="userAuthentication"
                                scope="subtree"
                                port="port number"
                                attributes="uid,userPassword"
                                returnAsBinary="userPassword"
                                filter="(&(uid=#form.userName#))"
                                start="dc=curaspan,dc=local"/>
 
                    <cfcatch type="any">
                      <cfoutput>Error: #cfcatch.detail# #cfcatch.message#</cfoutput>
                              <cfabort>
                   </cfcatch>
                   </cftry> 
                        <cfif userAuthentication.recordcount eq 0>
                        <cfoutput>Sorry! Invalid User</cfoutput>
    <cfelse>
                        <cfoutput>Login Successful</cfoutput>
                  </cfif>
            </cfif>
      </cfif>
</cfif>

In the above example, we have a form with username and password fields. When the user enters values in those fields and clicks on the "Submit" button, the form is submitted to the same page and the LDAP server is queried to find a record with the credentials provided by the user. In the server attribute of LDAP tag, we need to specify the address to the LDAP server and in the port attribute, the port number. If a record is found, we output a "Login Successful" message and in record count is 0, a "Sorry! Invalid User" message is displayed.

In this article I discussed the basics of LDAP and querying a LDAP in ColdFusion. In my next article, I will discuss manipulating LDAP directory entries using ColdFusion and some advanced topics related to LDAP.

By Debjani Mallick