Recipe 18.4 Programming with Perl

18.4.1 Problem

You want to programmatically access Active Directory using Perl.

18.4.2 Solution

There are two options for accessing Active Directory with Perl. You can use the Net::LDAP modules that are cross platform and use the LDAP protocol, or you can use the Win32::OLE module that gives you access to ADSI and must be run on a Windows machine. Both modules can be downloaded from the Comprehensive Perl Archive Network (CPAN) web site,

The following example shows how to use the Net::LDAP modules to query the RootDSE:


use strict;
use Net::LDAP;

my $ldap_server  = $ARGV[0] || 'dc1';
my $ldapobj = Net::LDAP->new($ldap_server) or die " Could not connect: $@";
my $rootdse = $ldapobj->search(
                    base   => '',
                    filter => '(objectclass=*)',
                    scope  => 'base',
die $rootdse->error if $rootdse->code;
foreach $entry($rootdse->entries) {
   foreach $attr(sort $entry->attributes) {
      foreach ($entry->get($attr)) {
         print "$attr: $_\n";

This next example uses the Win32::OLE module and ADSI to display the attributes of the RootDSE:

use strict;
use Win32::OLE 'in';

my $rootdse = Win32::OLE->GetObject("LDAP://RootDSE");
for my $i ( 0 .. $rootdse->PropertyCount - 1) {
    my $prop = $rootdse->Item($i);
    print $prop->Name,"\n";
    foreach my $val (in $prop->Values) {
       print "  ",$val->CaseIgnoreString,"\n";

It is worth noting that with Net::LDAP, you generally need to bind to the target domain controller before performing a search or any other operation. In the Net::LDAP example above, I didn't need to do that because I queried the RootDSE, which allows anonymous (i.e., unauthenticated) connections. A bind can be done using the following code:

$ldapobj->bind('', password => 'galt');

In the second code sample where I used ADSI with Win32::OLE, the credentials of the user running the script are used by default, so you only need to do an explicit bind if you need to authenticate as a different user.

18.4.3 Discussion

The Net::LDAP modules are a robust set of modules for querying and modifying an LDAP directory. Net::LDAP also supports DSML, the abstract schema, and LDIF. Net::LDAP is a native Perl implementation, which means that it does not rely on an external LDAP SDK. Since it is a pure Perl implementation, you can write Net::LDAP-based scripts on a variety of platforms to interface with Active Directory or other LDAP-based directories. Graham Barr initially developed the Net::LDAP modules and more information can be found about the modules on the following web site:

The Win32::OLE modules provide an interface into Microsoft's Component Object Model (COM). Most of the ADSI classes and methods are available from the COM automation interface, known as IDispatch. This allows you to combine the flexibility of Perl with the robustness of ADSI. Documentation for the Win32::OLE module can be found at

18.4.4 See Also to download Perl modules

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List