Cook Computing

Too busy LDAPing

August 8, 2002 Written by Charles Cook

I've been too busy to blog recently. I've been getting to grips with LDAP and haven't had the time or inclination to do much out of working hours.

I started using ADSI then switched to the Microsoft implementation of the LDAP API for the richer functionality, in particular the ability to use a wider range of authentication.

The LDAP API is fairly low level and after working on .NET code its been strange to go back to an API which involves allocating C structs and arrays of strings and remembering to free up memory allocated by my code and that allocated by the API. It makes me appreciate yet again what a huge step forward .NET represents in improved productivity. In the end I wrote a C++ class to encapsulate the API and speed up the rest of my coding.

One quirk of the LDAP API is that if you want to set an attribute to an empty value, you have to delete it (I suppose the attribute remains in the directory but the API doesn't let you see it once its "deleted"). However the deletion fails if the attribute is already set to an empty value. Therefore if you want to modify several attributes in one call, setting one or more of them to empty values, the whole call fails if one or more of these attributes is already empty. So you have to first make a call to determine which attributes are already empty. This involves another round-trip and processing of a call on the server. Not very efficient. [If I've got this wrong and I'm showing hideous naievety about LDAP please add a comment to this item to correct me.]