Hands on A directory service is an application that lets you store, retrieve and modify information about network-attached resources such as users.
If you want to keep a directory of company employees, for example, you would use a directory service instead of storing that information directly in a database. A directory service is created in a directory server, which is built on top of the database.
Directory servers are equally useful online, for use in web-based services like social networks.
In this article I shall create a directory service using PHP, one of the internet's most popular scripting languages, and OpenLDAP directory server - part of the ubiquitous OpenLDAP suite used in Linux distributions and vendors' software.
I have picked OpenLDAP because it's an open source package, meaning the code is easy to grab and use, and because it's easier to install and use than commercial directory servers such as Oracle Internet Directory server or IBM's Tivoli directory server.
Get up to speed
First, some basic - but essential - orientation. As I mentioned, the actual user data is stored in a database - a directory service is an abstract layer that sits on top of the database.
Lightweight Directory Access Protocol (LDAP) is a lightweight protocol for accessing directory services and that also defines operations for adding, searching, modifying and deleting directory entries. A "directory entry" is a set of attributes identified by a globally unique Distinguished Name (DN). Each of a directory entry's attributes has a type and one or more values.
Some examples of attribute types are discussed in the following table:
The attributes in a directory entry's DN are arranged in a hierarchy from right to left, with the right-most attributes as the base entry and the left-most attributes called Relative Distinguished Name (RDN). A DN is a sequence of RDNs. An example of a DN is as follows.
In this example, the base entry/root is
dc=example,dc=com, and the RDN is
Ok, now let's get started. First, install Apache HTTP Server 2.3.2 and PHP 5.2. Enable the PHP LDAP extension in
php.ini configuration file.
database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw netldap
Start/Restart the OpenLDAP Directory service. Start the OpenLDAP
C:\Program Files\OpenLDAP> .\slapd -d 1
LDAP entries are represented in LDAP Data Interchange Format (LDIF). Create the base entry using a ldif file,
C:\Program Files\OpenLDAP>ldapadd -D "cn=Manager,dc=example,dc=com" -v -w netldap -f baseentry.ldif
Double click on the
lbe.bat file to start the LDAP Browser, which displays the base directory entry. Directory entries may be added to the base entry.
Base directory entry
Create a directory entry
Next, we shall create directory entries in the OpenLDAP LDAP server. Let's, for our example, create a directory of members of a social network of PHP developers, PHPNetwork. We shall use the following
dn as the root/base DN.
objectclass attribute specifies the data type, and required and optional attributes in an entry. More than one object classes may be specified in the
objectclass attribute. Object classes form a class hierarchy and each
objectclass has required and optional attributes. The object classes supported by OpenLDAP server are specified in the
C:\Program Files\OpenLDAP\schema\core.schema file. We shall create a directory service using the
organizationalPerson, object classes. The
top object class does not have any required attributes. Object class
person has required attributes
sn. Object class
organizationalPerson does not have any required attributes and some of the optional attributes of
Create an HTML page, addEntry.html, to input a directory entry's values. Create a PHP script, add_entry.php. Connect with the OpenLDAP LDAP server using
$ldaphost = "localhost"; $ldapport = 389; $ldapconn = ldap_connect($ldaphost, $ldapport);
ldap_connect() function only initializes the connection parameters and returns a connection resource, but does not actually connect with the LDAP server. Set the LDAP protocol version to three using
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
Next, bind to the LDAP server using the connection resource in
$r=ldap_bind($ldapconn," cn=Manager, "cn=Manager,dc=example,dc=com","netldap");
Create a directory entry variable consisting of an array of attributes. For example, the
cn attribute is specified as follows.
In the directory entry for a PHPNetwork member we shall be setting the attributes,
postalAddress. If an attribute has more than one value the attribute values are specified using a two-dimensional array, as for the
$directory_entry["objectclass"]="top"; $directory_entry["objectclass"]="person"; $directory_entry["objectclass"]="organizationalPerson";
dnof the directory entry to be added.
Add the directory entry to the LDAP directory using
$r=ldap_add($ldapconn, $dn, $directory_entry);
Run addEntry.html in a browser. Specify a directory entry's values and click on Add Entry.
Adding a directory entry
The directory entries added to the OpenLDAP server get listed in the LDAP Browser.
New directory entry
Modify a directory entry
Create a PHP script, modify_entry.php, to modify a directory entry. Create a connection resource and bind with the LDAP directory. Create a directory entry variable consisting of an array of attributes with the modified values. For example, modify the "title" attribute value and the "telephoneNumber" attribute value. The attribute values are obtained from an input HTML form, modifyEntry.html
$directory_entry["title"]=$_GET['title']; $directory_entry["telephoneNumber"]=$_GET[' telephoneNumber'];
A directory entry is identified with a distinguished name. Specify the
dn of the directory entry to modify.
Modify the directory entry with
Run the input form to modify a directory entry in a browser. Specify the modified values and click on Modify Entry. The directory entry values should now be modified.
Search a directory entry
In this section we will use a PHTML (PHP embedded in HTML) script to search for a directory entry and display the result. Add the
.phtml extension to the
AddType configuration directive in
httpd.conf file and restart Apache web server.
AddType application/x-httpd-php .php .phtml
Create a PHTML script, search_entry.phtml and create a connection resource and bind with the directory server. Next, specify an attribute array, which specifies attributes to be retrieved. By default, all the attributes are retrieved.
$attribute_array=array("cn", "sn", "title", "telephoneNumber","postalCode","postalAddress");
dn of the directory entry to search. The
cn attribute value is specified in an input form searchEntry.html.
Specify a filter for the search. For example, specify a filter that searches for all object classes.
$filter = "(objectclass=*)";
Search the directory using
$sr=ldap_search($ldapconn,$dn, $filter, $attribute_array);
Retrieve the directory entries in the search result using
$directory_entries= ldap_get_entries($ldapconn, $sr);
Create an HTML table to display the search result. Run the searchEntry.html page in a browser. Specify the first name of a member. The member information for the specified member name should now be displayed.
A directory entry may be deleted using
That's it. You now know how create a directory service for users of an online service, such a social network, using PHP with OpenLDAP.®