LDAP
This module contains functions for performing searches against an LDAP server. They are designed to be called on an LDAP-enabled environment to download object attributes for building reports.
Notes:
- Environment must be LDAP enabled
- Connection to server must be already established (i.e. by a user having logged in)
- Filter length is restricted to 4095 chars
For more information on LDAP support, please refer to the KX Control documentation.
.pm.ldap.endSearchSession
Terminates an active LDAP search session
Returns:
Type | Description |
---|---|
Boolean | Successful termination of search session |
Example:
.pm.ldap.endSearchSession[]
/=> 1b
.pm.ldap.filteredSearch
Deprecated:
Used to search the LDAP server for specific objects and extract associated attributes. Generally used to find users or groups. The search starts from a base location and looks for specific objects based on the filter parameter. The specified attributes are then returned for each object.
The baseDN
parameter is optional and will be filled with the globdn
parameter if not specified.
A search session must be initialized before use.
Parameters:
Name | Type | Description |
---|---|---|
baseDN | string | Base location to search |
filter | string | Search filter for objects |
attributes | string | Attributes to fetch |
Returns:
Type | Description |
---|---|
table | Table of objects and attributes |
Example: Extract name and mail for users under ou=FDL,dc=fd,dc=com
filter:"&(objectClass=user)(objectCategory=person)";
.pm.ldap.filteredSearch["DC=domain,DC=com"; filter; `cn`mail]
/=> cn mail
/=> -------------------------
/=> John Doe jdoe@domain.com
/=> ..
Example:
filter:"&(objectClass=user)(objectCategory=person)(|(memberOf=CN=London,OU=Groups,OU=Users And Groups,DC=domain,DC=com)(memberOf=CN=Proxy,OU=IT,OU=Groups,OU=Users And Groups,DC=domain,DC=com))";
.pm.ldap.filteredSearch["DC=domain,DC=com"; filter; `cn`mail`distinguishedName]
/=> cn distinguishedName mail
/=> -------------------------------------------------------------------------------------------
/=> John Doe CN=John Doe,OU=Users,OU=Users And Groups,OU=FDL,DC=domain,DC=com jdoe@domain.com
/=> ..
.pm.ldap.getGroupUsers
Deprecated:
This API can be used to download all users that are members of specified groups. Example use-case would be to compare group members on the server against those in Control. Can narrow-down users that haven't ever logged in.
For Active Directory, the attribute
should usually be memberOf
and bind
should be sAMAccountName
.
A search session must be initialized before use.
Parameters:
Name | Type | Description |
---|---|---|
baseDN | string | Base location to search |
filter | string | Search filter for objects |
attribute | symbol | Attribute that describes group membership. |
groups | symbol[] | List of groups to check membership of. If not specified, will use the configured groups in Control. |
bind | symbol | Attribute to extract. Will default to configured bind value. |
Returns:
Type | Description |
---|---|
table | Table of bind attributes for each user |
Example:
grps:`$("CN=London,OU=Groups,OU=Users And Groups,DC=domain,DC=com";"CN=Proxy,OU=IT,OU=Groups,OU=Users And Groups,DC=domain,DC=com")
filter:"&(objectClass=user)(objectCategory=person)"
.pm.ldap.getGroupUsers["DC=domain,DC=com"; filter; `memberOf; grps; `sAMAccountName]
/=> sAMAccountName
/=> --------------
/=> "jdoe"
..
.pm.ldap.initSearchSession
Initiate a LDAP search session. Requires credentials for user who is permitted to carry out searches on target server.
Parameters:
Name | Type | Description |
---|---|---|
u | Symbol | Username |
p | string | User password |
Returns:
Type | Description |
---|---|
Boolean | Successful initialization of search session |
Example:
.pm.ldap.initSearchSession[`searchUser; "searchPass"]
/=> 1b
.pm.ldap.runSearch
Wrapper arround ldapSearch A search session must be initialized before use.
Parameters:
Name | Type | Description |
---|---|---|
baseDn | symbol | The base of the subtree to search from |
scope | long | LDAP search depth |
filter | string | Search filter to apply |
attrs | symbol[] | Set of attributes to include in the result |
attrsOnly | integer | Should be set to a non-zero value if only attribute descriptions are wanted |
Returns:
Type | Description |
---|---|
dict | Search results |
Example: Extract name and mail for users under OU=FDL,DC=FD,DC=com
baseDn:`$"OU=Users,OU=Users And Groups,OU=FDL,DC=FD,DC=com";
filter:"(&(objectClass=*)(objectCategory=person))";
attributes:`cn`mail
.pm.ldap.runSearch[baseDn; 2; filter; attributes; 0]
/=> ReturnCode| 0i
/=> Entries | +`DN`Attributes!(("CN=User Name,OU=Users,....
/=> Referrals | ()