These routines are used to work with the group evaluation extended request and create a group control.
The ldap_create_group_eval_request() API is used with the ldap_extended_operation_s() API to get the list of groups a particular entry belongs to. The API is intended to be used in a distributed directory environment where the LDAP entry for a particular user might exist on one directory server and belong to groups on that server or other servers, and it is desired to perform an operation under the authority of the user while applying the collective group membership from all servers. Used in this way, an application would create a group control that consists of the groups returned from each of the distributed directory servers. The example below shows how to parse the response from the group evaluation extended request.
The ldap_create_group_control() API is used to create a group control from the value returned by the group evaluation extended operation.
The ldap_create_group_control_from_list() API is used to create a group control from a list of groups.
Note: By using the code examples, you agree to the terms of the Code license and disclaimer information.
The following example shows how to use the ldap_create_group_eval_request and ldap_create_group_control APIs:
/******************************************************************/
/* This example is working on IBM i. */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <time.h>
#include <ldap.h>
#include <lber.h>
static char ibmid[] = "Copyright IBM Corporation 2007 LICENSED MATERIAL - PROGRAM PROPERTY OF IBM";
#define BIND_DN "cn=administrator"
#define BIND_PW "secret"
LDAP *ld;
LDAPControl **opControls = NULL;
LDAPControl * groupControl;
char *entryDn = NULL;
char **attrs = NULL;
int rc = LDAP_SUCCESS;
char *strdup( char *s )
{
char *p;
if ( (p = (char *) malloc( strlen( s ) + 1 )) == NULL )
return( NULL );
strcpy( p, s );
return( p );
}
/******************************************************************/
/* Function: decodeBerGroupEval */
/* Purpose: Function to decode the results from a group */
/* evaluation extended operation. */
/* Inputs: */
/* oidres - the oid returned from the extended operation */
/* result - the result returned from the extended operatin */
/* groupValues - place to store the sequence of group */
/* values returned from the server. */
/* */
/* Pre-conditions: All inputs are properly initialized. */
/* Post-conditions: */
/* The groupValues will be set if the berval and oidres are valid.*/
/* Outputs: None. */
/* */
void decodeBerGroupEval(const char * oidres,
struct berval * result,
char *** groupValues)
{
int response; /* Stores the return code of the BER decoding function */
int normalized; /* Flag that indicates if the groups are normalized */
if (!oidres)
{
printf("\n==No extended response received.");
return;
}
else if (!result)
{
printf("\n==No extended response data received.");
return;
}
else if (strcmp(oidres, LDAP_GROUP_EVAL_RES_OID) != 0)
{
printf("\n==Unexpected extended response: %s", oidres);
return;
}
else
{
/* Obtain the BerElement corresponding to the BER encoded format. */
BerElement *ber = ber_init2(result);
if ( ber == NULL ) {
printf("\n==ber_init2 failed.");
return;
}
response = ber_scanf(ber, "{i{v}}", &normalized, groupValues);
if (response == -1)
{
printf("\n==fber_scanf failed");
}
fber_free(ber);
}
}
void initvar()
{
/******************************************************************/
/* Init entryDn, to make sure that we could allocate the memory */
/* for the entryDn variable */
/* */
entryDn = strdup("o=ibm,c=us");
if ( entryDn == NULL) {
printf("\n==Memory allocation failed; cannot continue. Program terminated.");
exit(1);
}
/******************************************************************/
/*Allocate the attrs list */
/* */
attrs = (char**)malloc(1 + 1);
if (attrs == NULL) {
printf("\n==Memory allocation failed; cannot continue. Program terminated.");
exit(1);
}
attrs[0] = strdup("objectclass=*");
attrs[1] = NULL;
}
/******************************************************************/
/* Function: evaluategroups */
/* Purpose: Function to implement evaluategroups extended */
/* operation. The function generates the extended */
/* operation request, sends it to the server and calls */
/* the appropriate function to decode the results. The */
/* function then prints the results. */
/* Inputs: None. */
/* */
/* Pre-conditions: entryDN and attrs are initialized. */
/* client is already bound to the server. */
/* Post-conditions: */
/* The client is unbound. */
/* Outputs: None. */
/* */
void evaluategroups()
{
struct berval *reqVal = NULL;
const char *oid = LDAP_GROUP_EVAL_REQ_OID;
char *oidres = NULL;
struct berval *valres = NULL;
int index = 0;
char ** groupValues = NULL;
/*used by ldap_get_lderrno*/
char * dn = NULL;
char * msg = NULL;
initvar();
/******************************************************************/
/* Here we will test the ldap_create_eval_request API */
/* */
reqVal = NULL;
reqVal = ldap_create_group_eval_request(entryDn, attrs);
if(reqVal == NULL)
{
printf("\n==The group eval request could not be created.");
}
else
printf("\n******** The group eval request successfully.");
/******************************************************************/
/* Issue the operation */
/* */
rc = ldap_extended_operation_s(ld, oid, reqVal, opControls, NULL, &oidres, &valres);
printf("\n******** Now feeding the walrus (valres) to ldap_create_group_control");
/******************************************************************/
/* valres here can be fed to the create_group_control and the */
/* control can then be added to opcontrol and a search fired on */
/* the server. The search can be done after the results for the */
/* exop are displayed but before the unbind occurs below. */
/* */
if (rc == LDAP_SUCCESS)
{
groupControl= ldap_create_group_control(valres);
printf( "\n******** This is how the group control looks: %s\n",(*groupControl).ldctl_value.bv_val);
if(groupControl == NULL)
{
printf("\n******** Group Control Testing: The group control could not be created.\n");
}
else
{
printf("\n******** The group control was created successfully.");
ldap_insert_control(groupControl, &opControls);
printf("\n******** Added group control to the opcontrols.");
printf("\n OID of OPCONTROLS IS %s\n", (*(*opControls)).ldctl_oid);
printf("\n FINAL CONTROL %s\n", (*(*opControls)).ldctl_value.bv_val);
}
}
/******************************************************************/
/* Check our result */
/* */
if (rc == LDAP_SUCCESS) {
decodeBerGroupEval(oidres, valres, &groupValues);
if (groupValues == NULL) {
printf ( "\n==No values returned from the Server.\n", msg);
}
else
{
printf("\n******** Group values are :\n");
for (index = 0; groupValues != NULL && groupValues[index] != NULL; index++) {
printf(" %s \n", groupValues[index]);
ldap_memfree(groupValues[index]);
}
}
}
else
{
printf("\n******** ldapexop: %d - %s \n", rc, ldap_err2string(rc));
rc = ldap_get_lderrno(ld, &dn, &msg);
if ( msg != NULL && msg[0] != 0 )
printf("******** msg: %s\n", msg);
}
printf("\n******** Now firing the group control we just created with an ldapsearch ..");
/******************************************************************/
/* Firing the ldapsearch using the above created control */
/* Check whether the control has indeed been created before */
/* */
if(groupControl != NULL)
{
rc = ldap_search_ext_s(ld,"o=ibm,c=us",LDAP_SCOPE_SUBTREE,"objectclass=*",
NULL,0,opControls,NULL,NULL,200,NULL);
printf("\n******** Result code received from the server: %d %s\n", rc , ldap_err2string(rc));
}
else
{
printf("\n******** The group control was not successfully created.\n");
}
/******************************************************************/
/* Unbind and clean up */
/* */
ldap_unbind(ld);
if (entryDn)
free(entryDn);
if (attrs) {
if (attrs[0])
free(attrs[0]);
free(attrs);
}
if (reqVal)
ber_bvfree(reqVal);
if (oidres)
ldap_memfree(oidres);
if (valres)
ber_bvfree(valres);
if (groupControl)
ldap_control_free(groupControl);
if(opControls)
ldap_controls_free(opControls);
}
int initsession ()
{
int l_port;
char *server;
/******************************************************************/
/* Set default values: Server and Port. And then parse */
/* input parameters into program variables */
/* */
server = NULL;
l_port = LDAP_PORT;
/******************************************************************/
/* Initialize an LDAP session */
/* */
ld = ldap_init(server, l_port);
if (ld == NULL)
{
printf("==Error==");
printf(" Init of server %s at port %d failed.\n", server, l_port);
return 0;
}
/******************************************************************/
/* Bind as the ldap administrator */
/* */
rc = ldap_simple_bind_s (ld, BIND_DN , BIND_PW);
if ( rc != LDAP_SUCCESS)
{
printf("==Error== %s");
printf(" Unable to Bind to the LDAP server. Return code is %d.\n", rc);
return 0;
}
return 0;
}
int main ( )
{
initsession();
evaluategroups();
exit(0);
}
The following example shows how to use the ldap_create_group_control_from_list API:
/******************************************************************/
/* This example is working on IBM i. */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#include <ldap.h>
static char ibmid[] = "Copyright IBM Corporation 2007 LICENSED MATERIAL - PROGRAM PROPERTY OF IBM";
#define BIND_DN "cn=administrator"
#define BIND_PW "secret"
LDAP *ld;
LDAPControl *newControl = NULL;
LDAPControl **opControls = NULL;
int rc = LDAP_SUCCESS;
int initsession ()
{
int l_port;
char *server;
/******************************************************************/
/* Set default values: Server and Port. And then parse */
/* input parameters into program variables. */
/* */
server = NULL;
l_port = LDAP_PORT;
/******************************************************************/
/* Initialize an LDAP session */
/* */
ld = ldap_init(server, l_port);
if (ld == NULL)
{
printf("==Error==");
printf(" Init of server %s at port %d failed.\n", server, l_port);
return 0;
}
/******************************************************************/
/* Bind as the ldap administrator */
/* */
rc = ldap_simple_bind_s (ld, BIND_DN , BIND_PW);
if ( rc != LDAP_SUCCESS)
{
printf("==Error== %s");
printf(" Unable to Bind to the LDAP server. Return code is %d.\n", rc);
return 0;
}
return 0;
}
int main( )
{
char *group[] = {"cn=group1,o=ibm,c=us", "cn=group2,o=ibm,c=us", NULL};
char *dn = "cn=group1,o=ibm,c=us";
int msgidp = 0;
initsession();
/******************************************************************/
/* Create a group control list */
/* */
newControl = ldap_create_group_control_from_list (group, 0);
if(newControl==NULL)
{
printf("\n==Failure encountered while creating group control");
}
else
{
printf("\n****************newControl was created successfully.\n");
rc = ldap_insert_control( newControl, &opControls);
if (rc == LDAP_SUCCESS)
{
printf("\n************ Added group control to the opcontrols.");
printf("\n OID of OPCONTROLS IS %s\n", (*(*opControls)).ldctl_oid);
printf("\n FINAL CONTROL %s\n", (*(*opControls)).ldctl_value.bv_val);
}
}
/******************************************************************/
/* Firing an ldapdelete using the above created control group */
/* */
rc = ldap_delete_ext( ld, dn, opControls, NULL, &msgidp );
if (rc == LDAP_SUCCESS)
printf("\n************* Delete dn successfully.");
else
printf("\n==Failure delete dn.");
/******************************************************************/
/* Unbind and clean up */
/* */
ldap_unbind(ld);
if (newControl)
ldap_control_free(newControl);
if(opControls)
ldap_controls_free(opControls);
exit(0);
}
[ Back to top | LDAP APIs | APIs by category ]