LDAP Search

Valve for searching LDAP v3 directories

Introduction

Prerequisites

Before using this valve the LdapClient module must be configured and deployed.

Configuration

Valve name: LDAPSearch

Common LDAP valve configuration can be found here.

Name Description Default value Mandatory Expanded

Name	Description	Default value
`base_dn`	Search base DN.
`scope`	Search scope.	`"SUB"`
`filter`	Search filter.
`attributes`	Specification of attributes to include in search response. `("*" = all attributes)`	`"*"`
`filter_allow_wildcard`	Allow filters with wildcard (*)	`false`
`filter_escape`	If special characters in the filter should be escaped.	`true`
`expected_item_count`	The valve will fail if this value is set (integer) and the result count differs from this value.

base_dn

Search base DN.

scope

Search scope.

"SUB"

filter

Search filter.

attributes

Specification of attributes to include in search response.

("*" = all attributes)

"*"

filter_allow_wildcard

Allow filters with wildcard (*)

false

filter_escape

If special characters in the filter should be escaped.

true

expected_item_count

The valve will fail if this value is set (integer) and the result count differs from this value.

{
  "name" : "LDAPSearch",
  "config" : {
    "destination" : "default",
    "base_dn" : "dc=example,dc=com",
    "scope" : "SUB",
    "attributes" : [ {
      "name" : "uid",
      "multivalue" : false
    }, {
      "name" : "cn",
      "multivalue" : false
    }, {
      "name" : "mail",
      "multivalue" : true
    } ],
    "expected_item_count" : 1
  }
}

Search scopes

The following search scopes are supported:

BASE
SUB
SUBORDINATE_SUBTREE
ONE

Filter

{
    "filter": "uid=*"
}

Attributes specification

The attributes specification is used for defining the entry attributes to include in the search response. If not specified; all non-operational attributes will returned.

For single valued attributes, the specification can be a comma separated list or an array of attribute names:

"uid,cn,mail,userCertificate;binary"

["uid","cn","mail","userCertificate;binary"]

To enable multi value attributes the specification must be an array of attribute spec objects:

{
    "attributes": [
        {
            "name": "uid",
            "multivalue": false
        },
        {
            "name": "cn",
            "multivalue": false
        },
        {
            "name": "mail",
            "multivalue": true
        },
        {
            "name": "jpegPhoto",
            "multivalue": false,
            "binary": true
        }
    ]
}

All attributes are treated as single valued unless specifically configured as multi valued. If an attribute configured as single valued has multiple values in the directory; only the first value will be used.

For correct treatment of binary attributes, they must be tagged as binary either by using the binary attribute option "attribute;binary" or by setting "binary": true in the attribute spec.

Binary attributes are encoded in base 64. To use them in another representation they must explicitly be converted.

PreviousLDAP NextLDAP Group Filter