Skip to content

LDAP

This module contains functions for performing searches against an LDAP server. They are designed to be called on an LDAP-enabled environment to download object attributes for building reports.

Notes:

  • Environment must be LDAP enabled
  • Connection to server must be already established (i.e. by a user having logged in)
  • Filter length is restricted to 4095 chars

For more information on LDAP support, please refer to the Kx Control documentation.

.pm.ldap.filteredSearch

Used to search the LDAP server for specific objects and extract associated attributes. Generally used to find users or groups. The search starts from a base location and looks for specific objects based on the filter parameter. The specified attributes are then returned for each object.

The baseDN parameter is optional and will be filled with the globdn parameter if not specified.

Parameters:

Name Type Description
baseDN string Base location to search
filter string Search filter for objects
attributes string Attributes to fetch

Returns:

Type Description
table Table of objects and attributes

Example: Extract name and mail for users under ou=FDL,dc=fd,dc=com

 filter:"&(objectClass=user)(objectCategory=person)";
 .pm.ldap.filteredSearch["DC=domain,DC=com"; filter; `cn`mail]
 /=> cn        mail
 /=> -------------------------
 /=> John Doe  jdoe@domain.com
 /=> ..

Example:

 filter:"&(objectClass=user)(objectCategory=person)(|(memberOf=CN=London,OU=Groups,OU=Users And Groups,DC=domain,DC=com)(memberOf=CN=Proxy,OU=IT,OU=Groups,OU=Users And Groups,DC=domain,DC=com))";
 .pm.ldap.filteredSearch["DC=domain,DC=com"; filter; `cn`mail`distinguishedName]
 /=> cn        distinguishedName                                                 mail
 /=> -------------------------------------------------------------------------------------------
 /=> John Doe  CN=John Doe,OU=Users,OU=Users And Groups,OU=FDL,DC=domain,DC=com  jdoe@domain.com
 /=> ..

.pm.ldap.getGroupUsers

This API can be used to download all users that are members of specified groups. Example use-case would be to compare group members on the server against those in Control. Can narrow-down users that haven't ever logged in.

For Active Directory, the attribute should usually be memberOf and bind should be sAMAccountName.

Parameters:

Name Type Description
baseDN string Base location to search
filter string Search filter for objects
attribute symbol Attribute that describes group membership.
groups symbol[] List of groups to check membership of. If not specified, will use the configured groups in Control.
bind symbol Attribute to extract. Will default to configured bind value.

Returns:

Type Description
table Table of bind attributes for each user

Example:

 grps:`$("CN=London,OU=Groups,OU=Users And Groups,DC=domain,DC=com";"CN=Proxy,OU=IT,OU=Groups,OU=Users And Groups,DC=domain,DC=com")
 filter:"&(objectClass=user)(objectCategory=person)"
 .pm.ldap.getGroupUsers["DC=domain,DC=com"; filter; `memberOf; grps; `sAMAccountName]
 /=> sAMAccountName
 /=> --------------
 /=> "jdoe"
 ..