Edit this page on GitHub

Home > docs > plugins > LDAP Task

LDAP Task

The ldap task supports several search queries to an LDAP server.

Possible search operations are:

Usage

To be able to use the ldap task in a Concord flow, it must be added as a dependency:

configuration:
  dependencies:
  - mvn://com.walmartlabs.concord.plugins:ldap-task:1.17.0

This adds the task to the classpath and allows you to invoke the LDAP task.

Overview

The ldap task allows users to make search queries to an LDAP server as a step of a flow. It uses a number of required input parameters that are common for all operations:

  • action: determines the operation to be performed with the currennt invocation of the LDAP task
  • ldapAdServer: URL to the LDAP server, e.g ldap://hostname.domain.com:3268
  • bindUserDn: the identifier of the account which is used to bind to the LDAP server for the operation
  • bindPassword: the password of the bindUserDn identifier, typically provided by usage of the Crypto task
  • searchBase: defines the starting point for the search in the directory tree, e.g. DC=subdomain,DC=domain,DC=com
  • out: optional, the variable where the result is stored in. If not specified, ldapResult is used.

The ldapAdServer, bindUserDn, and bindPassword variables configure the connection to the LDAP server. It is best configured globally as default process configuration: with an ldapParams argument:

configuration:
  arguments:
    ldapParams:
      ldapAdServer: "ldap://hostname.domain.com:3268"
      bindUserDn: "CN=example,CN=Users,DC=subdomain,DC=domain,DC=com"
      bindPassword: "${crypto.exportAsString("bindPassword", "myStorePassword")}"

A minimal configuration taking advantage of a globally configured API URL includes the action to perform, the searchBase, and any additional parameters needed for the action:

flows:
  default:
  - task: ldap
    in:
      action: getUser
      searchBase: "DC=subdomain,DC=domain,DC=com"
      user: "userId"
      ....

Search By DN

The LDAP task can be used to search for an LDAP entry by DN (Distinguished Name) with the searchByDn action.

flows:
  default:
  - task: ldap
    in:
      action: searchByDn
      searchBase: "DC=subdomain,DC=domain,DC=com"
      dn: "CN=exampleCN1,CN=exampleCN2,DC=subdomain,DC=domain,DC=com"
      out: searchByDnResult

Additional parameters to use are:

  • dn: the distinguished name of the LDAP entry

Get User

The LDAP task can be used to search for a user with the getUser action.

flows:
  default:
  - task: ldap
    in:
      action: getUser
      searchBase: "DC=subdomain,DC=domain,DC=com"
      user: ${initiator.username}
      out: getUserResult

Additional parameters to use are:

  • user: the user id, email address, or user principal name to search for

Get Group

The LDAP task can be used to search for a group with the getUser action. You can specifiy whether it is a security group or not by securityEnabled

flows:
  default:
  - task: ldap
    in:
      action: getGroup
      searchBase: "DC=subdomain,DC=domain,DC=com"
      group: "mySecurityGroupName"
      securityEnabled: true
      out: getGroupResult

Additional parameters to use are:

  • group: the identifier of the issue
  • securityEnabled: a boolean (true/false) that determines whether to search for security group or not

Is Member Of

The LDAP task can be used to check whether a user is a member of a particular group, includeing recursive searching, with the isMemberOf action.

flows:
  default:
  - task: ldap
    in:
      action: isMemberOf
      searchBase: "DC=subdomain,DC=domain,DC=com"
      user: ${initiator.username}
      group: "mySecurityGroupName"
      securityEnabled: true
      out: isMemberOfResult
  • user: the user id, email address, or user principal name to search for
  • group: the identifier of the issue
  • securityEnabled: a boolean (true/false) that determines whether to search for security group or not