View Source eldap (eldap v1.2.13)

LDAP Client

This module provides a client api to the Lightweight Directory Access Protocol (LDAP).

References:

  • RFC 4510 - RFC 4519
  • RFC 2830

The above publications can be found at IETF.

Terminology abbreviations:

  • Dn. An LDAPDN is defined to be the representation of a Distinguished Name (DN) after encoding according to the specification in [RFC4514].

Summary

Types

The attributes of an entry

The LDAP socket and the transport protocol, TCP or TLS (SSL), used by the ldap connection

An opaque type representing a filter operation.

An opaque handle unique for the connection

Entry modification operations. See mod_add/2, mod_delete/2, mod_replace/2

The LDAP Server Address. The contents of Address is server dependent.

A requested set of serach options for seaching the directory

Functions

Add an entry. The entry must not exist.

Creates a filter where all Filter must be true.

Create a approximation match filter.

Search baseobject only.

Shutdown the connection after sending an unbindRequest to the server.

Delete an entry.

Always dereference aliases.

Dereference aliases only in finding the base.

Dereference aliases only when searching.

Create a equality filter.

Creates an extensible match filter. For example,

Create a greater or equal filter.

Currently available information reveals the socket and the transport protocol, TCP or TLS (SSL), used by the LDAP connection.

Create a less or equal filter.

Create an add modification operation.

Create a delete modification operation.

Create a replace modification operation.

Modify the password of a user. See modify_password/4.

Modify the password of a user.

Never dereference aliases, treat aliases as entries.

Negate a filter.

Setup a connection to an LDAP server, the HOST's are tried in order.

Setup a connection to an LDAP server, the HOST's are tried in order.

Create a filter where at least one of the Filter must be true.

paged_result_control(PageSize) -> {control, "1.2.840.113556.1.4.319", true, binary()}

paged_result_control(PageSize, Cookie) -> {control, "1.2.840.113556.1.4.319", true, binary()}

paged_result_cookie(SearchResult) -> binary()

Create a filter which filters on attribute type presence.

Search the directory with the supplied the SearchOptions.

Authenticate the connection using simple authentication.

Search the specified level only, i.e. do not recurse.

Same as start_tls(Handle, Options, infinity)

Upgrade the connection associated with Handle to a TLS connection if possible.

Create a filter which filters on substrings.

Search the entire subtree.

Types

Link to this type

attribute()

View Source (not exported) (since OTP R15B01)
-type attribute() :: {Type :: string(), Value :: [string()]}.

The attributes of an entry

Link to this type

connection_info()

View Source (not exported) (since OTP R15B01)
-type connection_info() :: #{socket := ssl:sslsocket() | gen_tcp:socket(), socket_type := tcp | ssl}.

The LDAP socket and the transport protocol, TCP or TLS (SSL), used by the ldap connection

Link to this opaque

dereference()

View Source (since OTP R15B01)
-opaque dereference()

How to handle aliases during a search. See neverDerefAliases/0, derefInSearching/0, derefFindingBaseObj/0, derefAlways/0

Link to this type

filter()

View Source (not exported) (since OTP R15B01)
-type filter() :: term().

An opaque type representing a filter operation.

See the filter creation functions for more info, including, present/1, substrings/2, equalityMatch/2, greaterOrEqual/2, lessOrEqual/2, approxMatch/2, extensibleMatch/2, 'and'/1, 'or'/1, 'not'/1

Link to this type

handle()

View Source (not exported) (since OTP R15B01)
-type handle() :: term().

An opaque handle unique for the connection

Link to this type

modify_op()

View Source (not exported) (since OTP R15B01)
-type modify_op() :: term().

Entry modification operations. See mod_add/2, mod_delete/2, mod_replace/2

Link to this type

referrals()

View Source (not exported) (since OTP R15B01)
-type referrals() :: [Address :: string()].

The LDAP Server Address. The contents of Address is server dependent.

Link to this opaque

scope()

View Source (since OTP R15B01)
-opaque scope()

Scope of a search. See baseObject/0, singleLevel/0, wholeSubtree/0

Link to this type

search_option()

View Source (not exported) (since OTP R15B01)
-type search_option() ::
          {base, string()} |
          {filter, filter()} |
          {scope, scope()} |
          {attributes, [string()]} |
          {deref, dereference()} |
          {types_only, boolean()} |
          {timeout, integer()}.

A requested set of serach options for seaching the directory

Functions

Link to this function

add(Handle, Dn, Attributes)

View Source (since OTP R15B01)
-spec add(Handle, Dn, Attributes) -> ok | {ok, Refs} | {error, Reason}
             when
                 Handle :: handle(),
                 Dn :: string(),
                 Attributes :: [attribute()],
                 Refs :: {referral, referrals()},
                 Reason :: term().

Add an entry. The entry must not exist.

  add(Handle,
      "cn=Bill Valentine, ou=people, o=Example Org, dc=example, dc=com",
       [{"objectclass", ["person"]},
        {"cn", ["Bill Valentine"]},
        {"sn", ["Valentine"]},
        {"telephoneNumber", ["545 555 00"]}]
     )
Link to this function

'and'(ListOfFilters)

View Source (since OTP R15B01)
-spec 'and'(ListOfFilters) -> filter() when ListOfFilters :: [filter()].

Creates a filter where all Filter must be true.

Link to this function

approxMatch(Type, Value)

View Source (since OTP R15B01)
-spec approxMatch(Type, Value) -> filter() when Type :: string(), Value :: string().

Create a approximation match filter.

Link to this function

baseObject()

View Source (since OTP R15B01)
-spec baseObject() -> scope().

Search baseobject only.

Link to this function

close(Handle)

View Source (since OTP R15B01)
-spec close(Handle) -> ok when Handle :: handle().

Shutdown the connection after sending an unbindRequest to the server.

If the connection is TLS the connection will be closed with ssl:close/1, otherwise with gen_tcp:close/1.

Link to this function

delete(Handle, Dn)

View Source (since OTP R15B01)
-spec delete(Handle, Dn) -> ok | {ok, Refs} | {error, Reason}
                when
                    Handle :: handle(),
                    Dn :: string(),
                    Refs :: {referral, referrals()},
                    Reason :: term().

Delete an entry.

  delete(Handle, "cn=Bill Valentine, ou=people, o=Example Org, dc=example, dc=com")
Link to this function

derefAlways()

View Source (since OTP R15B01)
-spec derefAlways() -> dereference().

Always dereference aliases.

Link to this function

derefFindingBaseObj()

View Source (since OTP R15B01)
-spec derefFindingBaseObj() -> dereference().

Dereference aliases only in finding the base.

Link to this function

derefInSearching()

View Source (since OTP R15B01)
-spec derefInSearching() -> dereference().

Dereference aliases only when searching.

Link to this function

equalityMatch(Type, Value)

View Source (since OTP R15B01)
-spec equalityMatch(Type, Value) -> filter() when Type :: string(), Value :: string().

Create a equality filter.

Link to this function

extensibleMatch(MatchValue, OptionalAttrs)

View Source (since OTP 17.4)
-spec extensibleMatch(MatchValue, OptionalAttrs) -> filter()
                         when
                             MatchValue :: string(),
                             OptionalAttrs ::
                                 [{matchingRule, string()} |
                                  {type, string()} |
                                  {dnAttributes, boolean()}].

Creates an extensible match filter. For example,

  eldap:extensibleMatch("Bar", [{type,"sn"}, {matchingRule,"caseExactMatch"}]))

creates a filter which performs a caseExactMatch on the attribute sn and matches with the value "Bar". The default value of dnAttributes is false.

Link to this function

greaterOrEqual(Type, Value)

View Source (since OTP R15B01)
-spec greaterOrEqual(Type, Value) -> filter() when Type :: string(), Value :: string().

Create a greater or equal filter.

Link to this function

info(Handle)

View Source (since OTP 25.3.1)
-spec info(Handle) -> connection_info() when Handle :: handle().

Currently available information reveals the socket and the transport protocol, TCP or TLS (SSL), used by the LDAP connection.

Link to this function

lessOrEqual(Type, Value)

View Source (since OTP R15B01)
-spec lessOrEqual(Type, Value) -> filter() when Type :: string(), Value :: string().

Create a less or equal filter.

Link to this function

mod_add(Type, Values)

View Source (since OTP R15B01)
-spec mod_add(Type, Values) -> modify_op() when Type :: string(), Values :: [string()].

Create an add modification operation.

Link to this function

mod_delete(Type, Values)

View Source (since OTP R15B01)
-spec mod_delete(Type, Values) -> modify_op() when Type :: string(), Values :: [string()].

Create a delete modification operation.

Link to this function

mod_replace(Type, Values)

View Source (since OTP R15B01)
-spec mod_replace(Type, Values) -> modify_op() when Type :: string(), Values :: [string()].

Create a replace modification operation.

Link to this function

modify(Handle, Dn, ModifyOps)

View Source (since OTP R15B01)
-spec modify(Handle, Dn, ModifyOps) -> ok | {ok, Refs} | {error, Reason}
                when
                    Handle :: handle(),
                    Dn :: string(),
                    ModifyOps :: [term()],
                    Refs :: {referral, referrals()},
                    Reason :: term().

Modify an entry.

  modify(Handle, "cn=Bill Valentine, ou=people, o=Example Org, dc=example, dc=com",
         [eldap:mod_replace("telephoneNumber", ["555 555 00"]),
	  eldap:mod_add("description", ["LDAP Hacker"]) ])
Link to this function

modify_dn(Handle, Dn, NewRDN, DeleteOldRDN, NewSupDN)

View Source (since OTP R15B01)
-spec modify_dn(Handle, Dn, NewRDN, DeleteOldRDN, NewSupDN) -> ok | {ok, Refs} | {error, Reason}
                   when
                       Handle :: handle(),
                       Dn :: string(),
                       NewRDN :: string(),
                       DeleteOldRDN :: boolean(),
                       NewSupDN :: string(),
                       Refs :: {referral, referrals()},
                       Reason :: term().

Modify the DN of an entry.

DeleteOldRDN indicates whether the current RDN should be removed from the attribute list after the operation. NewSupDN is the new parent that the RDN shall be moved to. If the old parent should remain as parent, NewSupDN shall be "".

  modify_dn(Handle, "cn=Bill Valentine, ou=people, o=Example Org, dc=example, dc=com ",
            "cn=Bill Jr Valentine", true, "")
Link to this function

modify_password(Handle, Dn, NewPasswd)

View Source (since OTP 18.0)
-spec modify_password(Handle, Dn, NewPasswd) -> ok | {ok, Refs} | {error, term()} | {ok, GenPasswd}
                         when
                             Handle :: handle(),
                             Dn :: string(),
                             NewPasswd :: string(),
                             Refs :: {referral, referrals()},
                             GenPasswd :: string().

Modify the password of a user. See modify_password/4.

Link to this function

modify_password(Handle, Dn, NewPasswd, OldPasswd)

View Source (since OTP 18.0)
-spec modify_password(Handle, Dn, NewPasswd, OldPasswd) ->
                         ok | {ok, Refs} | {error, term()} | {ok, GenPasswd}
                         when
                             Handle :: handle(),
                             Dn :: string(),
                             NewPasswd :: string(),
                             OldPasswd :: string(),
                             Refs :: {referral, referrals()},
                             GenPasswd :: string().

Modify the password of a user.

  • Dn. The user to modify. Should be "" if the modify request is for the user of the LDAP session.
  • NewPasswd. The new password to set. Should be "" if the server is to generate the password. In this case, the result will be {ok, GenPasswd}.
  • OldPasswd. Sometimes required by server policy for a user to change their password. If not required, use modify_password/3.
Link to this function

neverDerefAliases()

View Source (since OTP R15B01)
-spec neverDerefAliases() -> dereference().

Never dereference aliases, treat aliases as entries.

Link to this function

'not'(Filter)

View Source (since OTP R15B01)
-spec 'not'(Filter) -> filter() when Filter :: {filter()}.

Negate a filter.

Link to this function

open(Hosts)

View Source (since OTP R15B01)
-spec open(Hosts) -> {ok, Handle} | {error, Reason}
              when
                  Hosts :: [Host],
                  Host :: inet:socket_address() | inet:hostname(),
                  Handle :: handle(),
                  Reason :: term().

Setup a connection to an LDAP server, the HOST's are tried in order.

Link to this function

open(Hosts, Options)

View Source (since OTP R15B01)
-spec open(Hosts, Options) -> {ok, Handle} | {error, Reason}
              when
                  Hosts :: [Host],
                  Host :: inet:socket_address() | inet:hostname(),
                  Options ::
                      [{port, integer()} |
                       {log, function()} |
                       {timeout, integer()} |
                       {ssl, boolean()} |
                       {sslopts, list()} |
                       {tcpopts, list()}],
                  Handle :: handle(),
                  Reason :: term().

Setup a connection to an LDAP server, the HOST's are tried in order.

The log function takes three arguments, fun(Level, FormatString, [FormatArg]) end.

Timeout set the maximum time in milliseconds that each server request may take.

All TCP socket options are accepted except active, binary, deliver, list, mode and packet

Link to this function

'or'(ListOfFilters)

View Source (since OTP R15B01)
-spec 'or'(ListOfFilters) -> filter() when ListOfFilters :: [filter()].

Create a filter where at least one of the Filter must be true.

Link to this function

paged_result_control(PageSize)

View Source (since OTP 24.3)
-spec paged_result_control(PageSize) -> {control, ControlOID, true, binary()}
                              when PageSize :: integer(), ControlOID :: string().

paged_result_control(PageSize) -> {control, "1.2.840.113556.1.4.319", true, binary()}

Paged results is an extension to the LDAP protocol specified by RFC2696

This function creates a control with the specified page size for use in search/3, for example:

Control = eldap:paged_result_control(50),
{ok, SearchResults} = search(Handle, [{base, "dc=example, dc=com"}], [Control]),
Link to this function

paged_result_control(PageSize, Cookie)

View Source (since OTP 24.3)
-spec paged_result_control(PageSize, Cookie) -> {control, ControlOID, true, binary()}
                              when PageSize :: integer(), Cookie :: string(), ControlOID :: string().

paged_result_control(PageSize, Cookie) -> {control, "1.2.840.113556.1.4.319", true, binary()}

Paged results is an extension to the LDAP protocol specified by RFC2696

This function creates a control with the specified page size and cookie for use in search/3 to retrieve the next results page.

For example:

PageSize = 50,
Control1 = eldap:paged_result_control(PageSize),
{ok, SearchResults1} = search(Handle, [{base, "dc=example, dc=com"}], [Control1]),
%% retrieve the returned cookie from the search results
{ok, Cookie1} = eldap:paged_result_cookie(SearchResults1),
Control2 = eldap:paged_result_control(PageSize, Cookie1),
{ok, SearchResults2} = eldap:search(Handle, [{base, "dc=example,dc=com"}], [Control2]),
%% etc
Link to this function

paged_result_cookie/1

View Source (since OTP 24.3)
-spec paged_result_cookie(#eldap_search_result{controls :: maybe_improper_list(),
                                               entries :: term(),
                                               referrals :: term()}) ->
                             {error, no_cookie} |
                             {ok,
                              asn1_NOVALUE |
                              [[any()] | byte() | {_, _} | {_, _, _}] |
                              #'AttributeValueAssertion'{attributeDesc :: [any()],
                                                         assertionValue :: [any()]}}.

paged_result_cookie(SearchResult) -> binary()

Paged results is an extension to the LDAP protocol specified by RFC2696.

This function extracts the cookie returned from the server as a result of a paged search result.

If the returned cookie is the empty string "", then these search results represent the last in the series.

Link to this function

present(Type)

View Source (since OTP R15B01)
-spec present(Type) -> filter() when Type :: string().

Create a filter which filters on attribute type presence.

Link to this function

search(Handle, SearchOptions)

View Source (since OTP R15B01)
-spec search(Handle, SearchOptions) ->
                {ok, #eldap_search_result{entries :: term(), referrals :: term(), controls :: term()}} |
                {ok, Refs} |
                {error, Reason}
                when
                    Handle :: handle(),
                    SearchOptions ::
                        #eldap_search{base :: term(),
                                      filter :: term(),
                                      size_limit :: term(),
                                      scope :: term(),
                                      deref :: term(),
                                      attributes :: term(),
                                      types_only :: term(),
                                      timeout :: term()} |
                        [search_option()],
                    Refs :: {referral, referrals()},
                    Reason :: term().

Search the directory with the supplied the SearchOptions.

The base and filter options must be supplied. Default values: scope is wholeSubtree/0, deref is derefAlways/0, types_only is false and timeout is 0 (meaning infinity).

  Filter = eldap:substrings("cn", [{any,"V"}]),
  search(Handle, [{base, "dc=example, dc=com"}, {filter, Filter}, {attributes, ["cn"]}]),

The timeout option in the SearchOptions is for the ldap server, while the timeout in eldap:open/2 is used for each individual request in the search operation.

Link to this function

simple_bind(Handle, Dn, Password)

View Source (since OTP R15B01)
-spec simple_bind(Handle, Dn, Password) -> ok | {ok, Refs} | {error, Reason}
                     when
                         Handle :: handle(),
                         Dn :: string(),
                         Password :: string(),
                         Refs :: {referral, referrals()},
                         Reason :: term().

Authenticate the connection using simple authentication.

Link to this function

singleLevel()

View Source (since OTP R15B01)
-spec singleLevel() -> scope().

Search the specified level only, i.e. do not recurse.

Link to this function

start_tls(Handle, TlsOptions)

View Source (since OTP R16B03)
-spec start_tls(Handle, TlsOptions) -> ok | {ok, Refs} | {error, Reason}
                   when
                       Handle :: handle(),
                       TlsOptions :: ssl:tls_client_option(),
                       Refs :: {referral, referrals()},
                       Reason :: term().

Same as start_tls(Handle, Options, infinity)

Link to this function

start_tls(Handle, TlsOptions, Timeout)

View Source (since OTP R16B03)
-spec start_tls(Handle, TlsOptions, Timeout) -> ok | {ok, Refs} | {error, Reason}
                   when
                       Handle :: handle(),
                       TlsOptions :: ssl:tls_client_option(),
                       Timeout :: infinity | pos_integer(),
                       Refs :: {referral, referrals()},
                       Reason :: term().

Upgrade the connection associated with Handle to a TLS connection if possible.

The upgrade is done in two phases: first the server is asked for permission to upgrade. Second, if the request is acknowledged, the upgrade to TLS is performed.

Error responses from phase one will not affect the current encryption state of the connection. Those responses are:

  • tls_already_started - The connection is already encrypted. The connection is not affected.

  • {response,ResponseFromServer} - The upgrade was refused by the LDAP server. The ResponseFromServer is an atom delivered byt the LDAP server explained in section 2.3 of rfc 2830. The connection is not affected, so it is still un-encrypted.

Errors in the second phase will however end the connection:

  • Error - Any error responded from ssl:connect/3

The Timeout parameter is for the actual TLS upgrade (phase 2) while the timeout in eldap:open/2 is used for the initial negotiation about upgrade (phase 1).

Link to this function

substrings(Type, SubStrings)

View Source (since OTP R15B01)
-spec substrings(Type, SubStrings) -> filter()
                    when
                        Type :: string(),
                        SubStrings :: [{initial, string()} | {any, string()} | {final, string()}].

Create a filter which filters on substrings.

Link to this function

wholeSubtree()

View Source (since OTP R15B01)
-spec wholeSubtree() -> scope().

Search the entire subtree.