In "Querying and Updating AD, Part 1," February 2003, http://www.winscriptingsolutions.com, InstantDoc ID 27569, and "Querying and Updating AD, Part 2," March 2003, InstantDoc ID 37717, I cover how you can use the Net::LDAP Perl modules to automate your Active Directory (AD) infrastructure with Perl and standard Lightweight Directory Access Protocol (LDAP). But some of the basic functions you might need to perform, such as searching for or deleting objects, can't always be carried out fully with the standard LDAP operations. In some circumstances, LDAP imposes limitations on the client to prevent it from doing something it shouldn't, such as accidentally deleting an entire tree of the directory hierarchy. However, in many situations, you truly need to perform the actions that the default LDAP operations don't provide. These situations are where LDAP controls come into play.
LDAP Controls
Internet Engineering Task Force (IETF) Request for Comments (RFC) 2251 (http://www.ietf.org/rfc/rfc2251.txt) defines LDAP controls as part of the LDAP version 3 (LDAPv3) specification. Controls are an important feature of LDAP because they let vendors build extensions to LDAP operations on top of a directory server without revising the LDAP specification. You can include controls with a particular client request, and if the server supports the controls, the server performs the special processing that the controls dictate. Typically, controls follow the Internet standards process and are published in RFCs.
The LDAP controls that I cover in this article perform server-side sorting of search results, paged searching for more efficient processing of search results, and the deletion of an entire directory subtree in one operation. AD supports these controls and many more. For a complete list of the supported controls, go to http://msdn.microsoft.com/library/en-us/netdir/ldap/extended_controls.asp.
Controls and Net::LDAP
Before I delve into using specific controls, let's briefly review how you use controls with Net::LDAP. If you're new to Net::LDAP, I recommend reading "Querying and Updating AD, Part 1" for a general introduction to Net::LDAP and information about where to obtain it and how to install it. As I write this article, Net::LDAP 0.26 is the current version, so I use it for the scripts I describe later.
As you might expect with Net:: LDAP, controls are instantiated as objects. The Net::LDAP::Control module lets you create a new control by specifying parameters to the new() method with code such as
Net::LDAP::Control->new(parm,
parm, parm)
where parm is a parameter that depends on the type of control you're instantiating. Each control typically has specific parameters that you can use to customize its behavior. After you've instantiated the control object, you can pass it as a parameter to the operation you want to extend. Most methods available within Net::LDAP that map to LDAP operations have an optional control parameter that accepts an array reference of control objects. This parameter lets you specify more than one control if necessary. Now let's get our feet wet with the first control.