Add, Modify, and Use Extended Requests in LDAP

The LDAP component provides the ability to create and manage directory entries, including users and groups, as well as perform advanced operations. This article demonstrates how to add new entries, modify existing attributes, manage group memberships, and use extended requests to support additional functionality such as StartTLS and custom operations.

Adding New Entries to an LDAP Directory

LDAP (Lightweight Directory Access Protocol) supports adding and modifying entries such as users and groups. To add a new entry, first bind as a user with permissions to add:

ldap.DN = "DOMAIN\\Administrator";
ldap.Password = "admin";
ldap.Bind();

Next, specify the new DN you'd like to add, and specify all the attributes that will be required in order to add this new entry to the server. Which attributes are required depend on the schema. For Active Directory, a typical user DN add might look like this:

ldap.DN = "cn=NewUser,cn=Users,dc=DOMAIN";
ldap.Attributes.Add(new LDAPAttribute("objectClass", "top"));
ldap.Attributes.Add(new LDAPAttribute("", "person"));
ldap.Attributes.Add(new LDAPAttribute("", "organizationalPerson"));
ldap.Attributes.Add(new LDAPAttribute("", "inetorgperson"));
ldap.Add();

Modify LDAP Group Members

To modify the members of a group, update the member attribute of the group entry. You can add or remove users by specifying the appropriate modification operation.

For example, to remove "Tom H" from the "Administrators" group:

ldap.DN = "CN=Administrators,CN=Builtin,DC=JUNGLE";
LDAPAttribute attr = new LDAPAttribute("member", "CN=Tom H,CN=Users,DC=DOMAIN", LDAPAttributeModOps.amoDelete);
// above I use amoDelete.  Use amoAdd to add Tom H to the group
ldap.Attributes.Add(attr);
ldap.Modify();

Add, Replace, or Delete Attributes for an Existing LDAP Entry

You can modify existing LDAP entries by adding, replacing, or deleting attributes using the LDAP component. This requires binding to the server with sufficient permissions and specifying the appropriate modification operation for each attribute.

Bind to the Server

To modify attributes of an existing LDAP entry, first bind to the server as a user with permissions:

ldap.DN = "DOMAIN\\Administrator";
ldap.Password = "admin";
ldap.Bind();

Next, specify the attributes you want to add, replace, or delete.

Add an attribute

ldap.DN = "cn=SomeUser,cn=Users,dc=DOMAIN";
ldap.Attributes.Add(new LDAPAttribute("description", "added"));
ldap.Modify();

Replace an attribute

ldap.DN = "cn=SomeUser,cn=Users,dc=DOMAIN";
ldap.Attributes.Add(new LDAPAttribute("description", "added", LDAPAttributeModOps.amoReplace));
ldap.Modify();

Delete an attribute

ldap.DN = "cn=SomeUser,cn=Users,dc=DOMAIN";
ldap.Attributes.Add(new LDAPAttribute("description", "added", LDAPAttributeModOps.amoDelete));
ldap.Modify();

Handling Multi-Valued Attributes

When modifying multi-valued attributes (such as url), specify the attribute type only once. Additional values can be added with an empty type string:

ldap.Attributes.Add(new LDAPAttribute("url", "www.chalupas.com"));
ldap.Attributes.Add(new LDAPAttribute("", "www.taquitos.com"));

• Replacement: Replacing a multi-valued attribute will overwrite all existing values with the new ones.
• Empty Replacement: Replacing an attribute without specifying any value has the same effect as deleting it; all values of that attribute type will be removed.

This ensures consistent handling of attributes with multiple values.

LDAP Extended Requests

The LDAP component supports extended requests, which are used to perform operations beyond standard LDAP commands. For example, the SSL LDAPS component uses an extended request to support SSL via the SSLStartMode property, specifically the StartTLS extended request (1.3.6.1.4.1.1466.20037).

To send other extended requests, use the ExtendedRequest method. You need to provide the OID of the request and any associated request value. When the server responds, the component triggers the ExtendedResponse event, where you can access the responseName and responseValue.

This allows you to implement custom LDAP operations and handle server responses programmatically.