In addition, LDAP lets you control which attributes are required and allowed in an entry through the use of a special attribute called objectclass. The values of the objectclass attribute determine the schema rules the entry must obey.

For example, you might want to search the entire directory subtree below the company mycomp for people with the uid berham, retrieving the surname (sn) found. LDAP lets you do this easily. Or you might want to search the entries directly below the c=US entry for organizations with the string "my" in their name and a fax number. LDAP lets you do this too. The next section describes in more detail what you can do with LDAP and how it might be useful to you.

How Does LDAP Work?
LDAP directory service is based on a client/server model. One or more LDAP servers contain the data that makes up the LDAP directory tree. An LDAP client connects to an LDAP server and asks it a question. The server responds with the answer or with a pointer to where the client can get more information (typically, another LDAP server). No matter which LDAP server a client connects to, it sees the same view of the directory; a name presented to one LDAP server references the same entry it would at another LDAP server. This is an important feature of a global directory service such as LDAP.

Let's Do It
We will download and configure our own free LDAP server under Windows 2000. When it's up and running, we'll add our own entries to the server and see how they look in an LDAP editor. Then we'll create an EJB to access the LDAP server and a PowerBuilder client to add or change values.

Installing the Free LDAP Server
First we need a free LDAP server. The OpenLDAP project provides an excellent open source LDAP server for non-Windows platforms, and FiveSight has made a few modifications necessary to compile the server and constituent libraries so that OpenLDAP will run on Windows NT/2000.

Get the Windows implementation of OpenLDAP at www.fivesight.com/downloads/openldap.asp. The most current version at the time of writing was 2.0.19 (OpenLDAP 2.0.19, with debugging enabled). Don't be confused by the Unix-centric archives. The file can be opened and extracted with WinZip. Simply extract it into a directory.

Setting Up an LDAP Server

• Unzip OpenLDAP to c:\OpenLdap
• Create a directory C:\OpenLdap\openldap-ldbm
• Configure C:\OpenLdap\slapd.conf so it looks like Listing 1 (changes are marked in bold)

An LDIF File
LDAP Data Interchange Format (LDIF) is a file format used to import and export directory data from an LDAP server and to describe a set of changes to be applied to data in a directory. This format is described in the Internet draft "The LDAP Data Interchange Format (LDIF) - Technical Specification" (see Resources section at end of article).

The LDIF is used to represent LDAP entries in a simple text format. This section provides a brief description of the LDIF entry format that complements ldif(5) and the technical specification RFC2849.

The basic form of an entry is:

# comment
objectclass ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL
MUST ( sn $ cn )
MAY (userPassword $ telephoneNumber $ seeAlso $ description ))

Lines starting with a "#" character are comments. The attribute here is called person. Person must have the attributes sn and cn; for example, it may have userPassword.

Another example is the organization attribute:

objectclass ( 2.5.6.4 NAME 'organization' SUP top STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $
description ) )

In our example, if we want to add a DN of o (an organization), you have to specify (it requires) o and you can add additional attributes like description, userPassword, postalCode, or postalAddress. Remember this is defined in core.schema.

If we want to add people to our company we have to define the objectclass, cn, and sn, and as additional values we could add description, telephone number, and password. Listing 2 provides the complete ldaif file we'll use with our OpenLDAP installation.

Create this file in the OpenLDAP installation directory and use the ldapmodify tool from within a DOS-BOX to add this entry to our server.

ldapmodify -a -x -D "cn=Manager,o=myorg,c=US" -W -f example.ldif

To verify if the values are really there, use the ldapsearch tool from within a DOS Box:

ldapsearch -x -b "o=myorg,c=us" "(objectclass=*)"

ldapsearch -x -b "uid=berham,ou=developer,o=myorg,c=us" "
(objectclass=*)"

You'll get back the stored values from your LDAP server.

As you can see, this output doesn't look nice and we have to work from a command shell to make changes to our directory. A better tool to verify and change the values within our LDAP server is a (free) LDAP browser that can be downloaded from www.iit.edu/~gawojar/ldap/download.html. Configure the Base DN and the DN for the user and the password (you can find all these values in our previously configured slapd.conf file) (see Figure 3). After saving and connecting to the LDAP server, look at our previously imported data (see Figure 4).

Programming the LDAP Server
We'll write a PowerBuilder client application that connects to an EAServer installation. Within EAServer we'll have an EJB that connects to the LDAP server and sends results back to the PowerBuilder application.

The PowerBuilder Client
We want to write a PowerBuilder application that can:

• Read and display values from a given DN
• Change values from a given DN
• Add new values
• Test logging on to the LDAP server

The scripts behind the buttons look more or less the same. I decided to copy the code from one button to the next. I would never code this way in a real-world example, but I thought this way would be easier for beginners to understand.

If we look at the button Test Login we can see that there is:

• A connect to EAServer
• The lookup for the EJB home interface
• The creation of the remote object of the EJB
• The initialization for the parameters we'll pass to the EJB
• The function call (in this case, for the connect)
• A MessageBox that shows us success or failure of the authentication

• Import the CTSComponents package for the exceptions.
• Look up the Bean class name and the JNDI name using Jaguar Manager by right-clicking your EJB and choosing properties. On the General tab is the information you'll need (at.bhitcon.ldap.LDAPCaller and myLDAP/LDAPCaller in our case) (see Figure 5).
• When you download and import myLDAP.jar, use Deploy -> EJB on the Package folder in Jaguar Manager.
• Don't forget to install the newly created package (myLDAP) in your Jaguar server!
• Refresh the server.

• Connect to our LDAP server (with username/password verification).
• Search the LDAP directory.
• Add entries to the LDAP directory.
• Change values in our LDAP directory.

Resources