OXN-node-set ldap-lookup(string url, string rdn, string rdnPassword, string base_dn, string userSearch, string userPassword, string attributes)
The ldap-lookup()
function connects to an LDAP server with the given url
, rdn
and rdnPassword
. It then searches for a user by the given userSearch
. If a user is found, it connects with the user's DN and the given userPassword
. If the password is correct, an OXN JSON document is returned with at least the user's dn
and additional attributes given by attributes
. Otherwise an empty node-set is returned.
url
The ldap URL (string)
rdn
The (relative) distinguished name of the (system) user (string)
rdnPassword
The password of the (system) user (string)
base_dn
The base distinguished name for the directory, used for the search (string)
userSearch
The filter for searching a user (string)
userPassword
The user's password (string)
attributes
A comma-separated list of attributes to return (string)
In the following example, the LDAP server is connected with the DN given in $ldap_settings/bind_dn
and the password from $env/FLAT_SYSTEM_PASSWORD
. The given filter is used to search for an entry of a person which is a member of a group Users
and has the email address [email protected]
. In addition to the (default) dn
, the sAMAccountName
and mail
from the entry are added to the result.
<flow><eval out="$userSearch">concat("(&(objectClass=person)(memberOf=CN=Users,ou=People,dc=example,dc=com)([email protected]))")</eval><eval out="$attributes">"sAMAccountName,mail"</eval><eval out="$ldap">ldap-lookup($ldap_settings/url, $ldap_settings/bind_dn, $env/FLAT_SYSTEM_PASSWORD, "dc=example,dc=com", $userSearch, "myP4s5w0rD", $attributes)</eval><error if="not($ldap)">{"status": 403,"message": "ldap-lookup() failed"}</error></flow>
The result in the case of success, is
{"dn": "cn=John Doe,ou=People,dc=example,dc=com","sAMAccountName": "john.doe","mail": "[email protected]"}
In a real setup you would read the user (here [email protected]
) and password parameters from user input, such as the JSON request body (e.g. $body/json/username
and $body/json/password
).
The attributes returned from the function can then be used to set claims in a JWT token with jwt-encode()
.