For automating and programmatically accessing Active Directory (AD), the typical API of choice is Microsoft Active Directory Service Interfaces. ADSI is an easy-to-use, robust interface that lets you easily manipulate objects in AD. When you combine ADSI with ADO for query purposes, you can perform nearly any function necessary to automate AD.
However, because ADSI is COM based—and COM is a proprietary Microsoft technology—you can't easily use ADSI from other platforms. In other words, ADSI is tied to Windows OSs. Using ADSI to develop scripts or applications on a non-Windows platform or to develop cross-platform scripts or applications is difficult. Fortunately, an alternative exists: You can use a Lightweight Directory Access Protocol (LDAP) API.
Microsoft's track record for supporting standards hasn't always been that great, but with AD, Microsoft made significant improvements in that regard. AD supports not only LDAP but also other standards, such as DNS, Simple Network Time Protocol (SNTP), Secure Sockets Layer (SSL), Transport Layer Security (TLS), and Kerberos. One of the great benefits of AD supporting LDAP is that LDAP makes AD much more platform neutral from a client perspective. Because LDAP is a standard, you aren't limited to Windows clients and platforms. LDAP has been around for many years and has clients for nearly all platforms, which means you can write LDAP-enabled clients or scripts to query and update AD from your platform of choice. Having that capability is a boon for administrators who need to develop scripts or applications on a non-Windows platform or write cross-platform applications or scripts that use AD.
Many people think of LDAP only as a protocol, but unlike most protocol standards, it's also associated with an Internet Engineering Task Force (IETF) Request for Comments (RFC)defined API. Defined in RFC 1823 (http://www.ietf.org/rfc/rfc1823.txt) and typically referred to as the C-style LDAP API, the API defines a basic set of functions necessary to query and update an LDAP-based directory. Microsoft and Netscape both have an LDAP software development kit (SDK) that implements the C-style LDAP API.
Although having a de facto standard API to use with LDAP was helpful at first, the C-style LDAP API wasn't object-oriented (OO) and didn't map well to some languages, such as Java. For that reason, Sun Microsystems developed its own LDAP API, known as the Java Naming and Directory Interface (JNDI—http://java.sun.com/products/jndi). JNDI is more than just an LDAP API. JNDI is also an interface to DNS and is similar in concept to ADSI as a generic directory interface.
In the Perl world, some Netscape developers created a set of LDAP Perl modules based on the Netscape LDAP SDK, commonly referred to as PerLDAP. The PerLDAP module names are prefixed with Mozilla::LDAP. Unfortunately, those Perl modules require that you install the Netscape LDAP SDK to use them. Another group of developers, led by Graham Barr, developed a pure Perl implementation—a set of Perl modules referred to as perl-ldap, which should not be confused with Netscape's PerLDAP. The perl-ldap module names are prefixed with Net::LDAP. The big advantage of the Net::LDAP modules over the Netscape modules is that you can install the Net::LDAP modules on virtually any machine that supports Perl and can write LDAP-based clients without the need for an external SDK or other software. The Net::LDAP modules use many of the C-style API function names but are OO for easier use.
In this article, I explain how to install and use the Net::LDAP modules to query AD. (Because this article is targeted toward experienced Perl users, I don't go into how to install and use Perl.) In Part 2, I'll discuss how to use the Net::LDAP modules to create and update objects in AD.
Installing Net::LDAP
For the Perl aficionados, installing modules is probably second nature. To use the Comprehensive Perl Archive Network (CPAN) shell to install Net:: LDAP, you can run the following command from the command line:
> perl -MCPAN -e shell
cpan> install Net::LDAP
If you've never used the CPAN shell, learning how to use it is worthwhile because it makes installing and updating modules easy. The CPAN.pm module comes with most Perl installations; when you run this module for the first time, it walks you through how to set up the CPAN shell. You can also find instructions about how to install CPAN modules for a particular platform on the CPAN Web site (http://www.cpan.org/modules/INSTALL.html).
You can find links to the latest version of the perl-ldap library along with its online documentation on the perl-ldap home page (http://perl-ldap.sourceforge.net). The version used in this article's code is perl-ldap-0.26.