LDAP management from PHP

-redShadow-'s picture

Let's discuss about ways to connect to LDAP and handle entries from PHP.
I see that the trend is to write classes based on core PHP ldap_* functions. The obvious problem is that each module does in its own way.

Now, I think that the right way will be to manage all the "low level" stuff inside the ldap module, and then use its exposed APIs to do all the stuff higher-level.
I had a quick read at that module code, and I see you are writing brand new LDAP management classes.

What about, instead, using something already written?
[this is not a critique, I'm asking pros and cons for which you decided to write this from scratch]

I used Net_LDAP2 from PEAR many times when writing LDAP-related stuff, and it seems to be working fine, although I heard of strange misbehavior of that package, probably derived from some php-ldap functions issue (I see that it is not really easy to handle the LDAP protocol and communicate with a directory server..). Another problem related to Net_LDAP2 is the PEAR license, that is not GPL-compatible. So we'd need to ask users to download the PEAR framework in order to use LDAP modules. This can be done quickly under Linux, I don't know if it is the same for Windows and Mac.
But it has many many pros too (such as quick schema reading, to give an example) that would require lots of coding if done by scratch.

Are there other nice high-level classes to handle LDAP? Or lots of enthusiastic people that would help writing the coolest one?
Let me know.


Not going to use modules that require PEAR

verta's picture

Just my 2 cents:

Thumbs down on PEAR. It looks pretty cool, but it's really too much to deal with to d/l a great big library and fight with installing it just for one module. The one attempt I made some time ago to get PEAR up was not a success. In general, I try to avoid modules that required extra downloads unless it's simple and small.

If someone finds something that can be packaged in the module, i.e. has a compatible license, great.

Ldap & php: a beast

dam's picture

I support Samu's idea to go on with Pear.
Verta is right too: external libraries are never a good idea but here we have some things to take in consideration:
1. when you have to deal with ldap schemas the common ldap_* functions are a nightmare
2. pear installs VERY smoothly (in linux but I guess in all the other o.s.)
3. reinventing the wheel is often a bad idea


PEAR on Windows

verta's picture

Understood. To quote an article I found while trying to find an easy way to do this (or where it wrong the last time), http://www.geeksengine.com/article/install-pear-on-windows.html

"Installing PEAR on Windows is a confusing task if you use the PEAR Installer."

Not starting from scratch

johnbarclay's picture

When we started ldap, the main author of the ldap api part did a good survey of things out there. He is borrowing and learning from other ldap libraries (not just php) in his code base. He does a lot of ldap admin and development at the university he works at and is really a good fit for the api part of the project.

So I'm optimistic about his ldap api code. If you download the head version and look at the wiki where the documentation is, you will get a good sense of where its going.

that makes sense but

dam's picture

I had some mail exchange with some pear authors in the past months: pear actually forces authors to use gpl compliant licences. Only some pear modules (the oldest ones) are not compliant and with a bit of patience they can be gpl compliant too.

mmm sounds strange that pear gives headache on windows. At the end it's just a directory included in the php path...

your answer makes sense but I have some other questions:
1) how long it will take the ldap api available for production?
2) did the "main author" excluded pear for some other reasons than its issues on windows environment?
3) do we have some data to understand how many drupal sites are hosted over a windows server ?


johnbarclay's picture
  1. not sure.
  2. I would ask that in the LDAP issue queue. I'm sure it had nothing to with the windows environment. Some of our testing servers are on windows machines and some are connected to MS Active Directory.
  3. No idea. I do a lot of work in the university community and I would say about half that I've run across.

As far as PEAR on windows, its not much of a hurdle. Here a good 1, 2, 3 manual install. http://www.geeksengine.com/article/install-pear-on-windows.html

please clarify

dam's picture

thank you John for your answer.
There is one thing I can't get and maybe you can clarify: are you personally pro to pear or not?

pear position statement

johnbarclay's picture

I like pear. Generally prefer to avoid it in drupal unless it contributes substantial functionality and can be distributed with a module. I use it in some of my non contributed custom modules.

I looked over http://pear.php.net/manual/en/package.networking.net-ldap2.introduction.php and would say it would add an additional layer without adding much functionality. In the LDAP API, we want the server definitions to be stored in the LDAP API and when the ldap server objects are instantiated, they will be for a particular server configuration. The php ldap layer is pretty feature rich http://php.net/manual/en/book.ldap.php

there is a huge difference

dam's picture

with netldap2 you can get the schema related to an object class in a easy way. Have a look here

In this way it's much easier to bind a php object to a ldap schema and then to perform validations checks on the submitted attributes of the object.


LDAP API will not require pear modules

retsamedoc's picture

I agree with John. The new LDAP API will not require the PEAR netldap2 module. The basis I am using for a lot of the LDAP interaction code is myldapadmin (http://phpldapadmin.sourceforge.net) which is able to perform introspection (schema specifically). This will be more than adequate.

that makes sense

dam's picture

that makes sense