Among its many other capabilities, PHP also comes with afull-featured API to connect to, and communicate with, LDAP directoryservers. This article explores how PHP and LDAP can be used together,beginning with a crash course in LDAP basics and proceeding to a series ofsimple examples that demonstrate how PHP can be used to search an LDAPdirectory and format the results for the Web.
In case you're not familiar with LDAP, this section is designed to give you a crash course in the basics. It is not intended to be exhaustive - you should take a look at the links at the end of this article for more detailed material - but it should get you through the remainder of this article without confusing you too much.
An LDAP directory is usually structured hierarchically, as a tree of nodes (the LDAP directory tree is sometimes referred to as the Directory Information Tree, or DIT). Each node represents a record, or "entry", in the LDAP database.
An LDAP entry consists of numerous attribute-value pairs, and is uniquely identified by what is known as a "distinguished name" or "DN". If you're familiar with RDBMS, it's pretty easy to draw an analogy here: an LDAP entry is analogous to a record, its attributes are the fields of that record, and a DN is a primary key that uniquely identifies each record.
Consider the following example of an LDAP entry, which might help make things clearer:
dn: mail=sue@my-domain.com, dc=my-domain, dc=com
objectclass: inetOrgPerson
cn: Sue
sn: Jones
mail: sue@my-domain.com
telephoneNumber: 1 234 567 8912
This is an entry for a single person, Sue Jones. As you can
see, the different components of the entry - name, email address, telephone number - are split into attribute-value pairs, with the entire record identified by a unique DN (the first line of the entry). Some of these attributes are required and some are optional, depending on the object class being used for the entry (more on this later); however, the entire set of data constitutes a single entry, or node, on the LDAP directory tree.
Since LDAP entries are arranged in a hierarchical tree, and since each node on the tree can be uniquely identified by a DN, the LDAP model lends itself well to sophisticated queries and powerful search filters. For example, I could restrict my search to a particular subset of the tree simply by specifying a different base for the query to begin from, or query only against specific attributes in the directory tree. Heck, I could even do both, and feel like a Real Programmer!
