LDAP Task
The ldap task supports several search queries to an LDAP server.
Possible search operations are:
Usage
To be able to use the ldap task in a Concord flow, it must be added as a
dependency:
configuration:
dependencies:
- mvn://com.walmartlabs.concord.plugins:ldap-task:1.32.3
This adds the task to the classpath and allows you to invoke the LDAP task.
Overview
The ldap task allows users to make search queries to an LDAP server as a step of
a flow. It uses a number of required input parameters that are common for all
operations:
action: determines the operation to be performed with the currennt invocation of the LDAP taskldapAdServer: URL to the LDAP server, e.gldap://hostname.domain.com:3268bindUserDn: the identifier of the account which is used to bind to the LDAP server for the operationbindPassword: the password of thebindUserDnidentifier, typically provided by usage of the Crypto tasksearchBase: defines the starting point for the search in the directory tree, e.g.DC=subdomain,DC=domain,DC=comout: optional, the variable where the result is stored in. If not specified,ldapResultis used.
The ldapAdServer, bindUserDn, and bindPassword variables configure the
connection to the LDAP server. It is best configured globally as
default process configuration:
with an ldapParams argument:
configuration:
arguments:
ldapParams:
ldapAdServer: "ldap://hostname.domain.com:3268"
bindUserDn: "CN=example,CN=Users,DC=subdomain,DC=domain,DC=com"
bindPassword: "${crypto.exportAsString("bindPassword", "myStorePassword")}"
A minimal configuration taking advantage of a globally configured API URL
includes the action to perform, the searchBase, and any additional
parameters needed for the action:
flows:
default:
- task: ldap
in:
action: getUser
searchBase: "DC=subdomain,DC=domain,DC=com"
user: "userId"
....
Search By DN
The LDAP task can be used to search for an LDAP entry by DN (Distinguished Name)
with the searchByDn action.
flows:
default:
- task: ldap
in:
action: searchByDn
searchBase: "DC=subdomain,DC=domain,DC=com"
dn: "CN=exampleCN1,CN=exampleCN2,DC=subdomain,DC=domain,DC=com"
out: searchByDnResult
Additional parameters to use are:
dn: the distinguished name of the LDAP entry
Get User
The LDAP task can be used to search for a user with the getUser action.
flows:
default:
- task: ldap
in:
action: getUser
searchBase: "DC=subdomain,DC=domain,DC=com"
user: ${initiator.username}
out: getUserResult
Additional parameters to use are:
user: the user id, email address, or user principal name to search for
Get Group
The LDAP task can be used to search for a group with the getUser action. You
can specifiy whether it is a security group or not by securityEnabled
flows:
default:
- task: ldap
in:
action: getGroup
searchBase: "DC=subdomain,DC=domain,DC=com"
group: "mySecurityGroupName"
securityEnabled: true
out: getGroupResult
Additional parameters to use are:
group: the identifier of the issuesecurityEnabled: a boolean (true/false) that determines whether to search for security group or not
Is Member Of
The LDAP task can be used to check whether a user is a member of a particular
group, includeing recursive searching, with the isMemberOf action.
flows:
default:
- task: ldap
in:
action: isMemberOf
searchBase: "DC=subdomain,DC=domain,DC=com"
user: ${initiator.username}
group: "mySecurityGroupName"
securityEnabled: true
out: isMemberOfResult
user: the user id, email address, or user principal name to search forgroup: the identifier of the issuesecurityEnabled: a boolean (true/false) that determines whether to search for security group or not