The ldap
task supports several search queries to an LDAP server.
Possible search operations are:
To be able to use the ldap
task in a Concord flow, it must be added as a
dependency:
configuration:
dependencies:
- mvn://com.walmartlabs.concord.plugins:ldap-task:1.32.3
This adds the task to the classpath and allows you to invoke the LDAP task.
The ldap
task allows users to make search queries to an LDAP server as a step of
a flow. It uses a number of required input parameters that are common for all
operations:
action
: determines the operation to be performed with the currennt
invocation of the LDAP taskldapAdServer
: URL to the LDAP server, e.g ldap://hostname.domain.com:3268
bindUserDn
: the identifier of the account which is used to bind to the LDAP
server for the operationbindPassword
: the password of the bindUserDn
identifier, typically
provided by usage of the Crypto tasksearchBase
: defines the starting point for the search in the directory tree, e.g. DC=subdomain,DC=domain,DC=com
out
: optional, the variable where the result is stored in. If not specified,
ldapResult
is used.The ldapAdServer
, bindUserDn
, and bindPassword
variables configure the
connection to the LDAP server. It is best configured globally as
default process configuration:
with an ldapParams
argument:
configuration:
arguments:
ldapParams:
ldapAdServer: "ldap://hostname.domain.com:3268"
bindUserDn: "CN=example,CN=Users,DC=subdomain,DC=domain,DC=com"
bindPassword: "${crypto.exportAsString("bindPassword", "myStorePassword")}"
A minimal configuration taking advantage of a globally configured API URL
includes the action
to perform, the searchBase
, and any additional
parameters needed for the action:
flows:
default:
- task: ldap
in:
action: getUser
searchBase: "DC=subdomain,DC=domain,DC=com"
user: "userId"
....
The LDAP task can be used to search for an LDAP entry by DN (Distinguished Name)
with the searchByDn
action.
flows:
default:
- task: ldap
in:
action: searchByDn
searchBase: "DC=subdomain,DC=domain,DC=com"
dn: "CN=exampleCN1,CN=exampleCN2,DC=subdomain,DC=domain,DC=com"
out: searchByDnResult
Additional parameters to use are:
dn
: the distinguished name of the LDAP entryThe LDAP task can be used to search for a user with the getUser
action.
flows:
default:
- task: ldap
in:
action: getUser
searchBase: "DC=subdomain,DC=domain,DC=com"
user: ${initiator.username}
out: getUserResult
Additional parameters to use are:
user
: the user id, email address, or user principal name to search forThe LDAP task can be used to search for a group with the getUser
action. You
can specifiy whether it is a security group or not by securityEnabled
flows:
default:
- task: ldap
in:
action: getGroup
searchBase: "DC=subdomain,DC=domain,DC=com"
group: "mySecurityGroupName"
securityEnabled: true
out: getGroupResult
Additional parameters to use are:
group
: the identifier of the issuesecurityEnabled
: a boolean (true
/false
) that determines whether to
search for security group or notThe LDAP task can be used to check whether a user is a member of a particular
group, includeing recursive searching, with the isMemberOf
action.
flows:
default:
- task: ldap
in:
action: isMemberOf
searchBase: "DC=subdomain,DC=domain,DC=com"
user: ${initiator.username}
group: "mySecurityGroupName"
securityEnabled: true
out: isMemberOfResult
user
: the user id, email address, or user principal name to search forgroup
: the identifier of the issuesecurityEnabled
: a boolean (true
/false
) that determines whether to
search for security group or not