LDAP Connector
Overview
The LDAP Connector provides access to a variety of LDAP based systems. The Connector
supports both LDAP version 2 and 3.
Note that, unlike most Connectors, while inserting an object into an LDAP
directory, you have to specify the object class attribute, the $dn attribute as
well as the other attributes. The following code sample, if inserted in the
Prolog, will define an attribute that you will be able to use later.
// This variable used to set the object class attribute
var objectClass = system.newAttribute ("objectclass");
objectClass.addValue ("top");
objectClass.addValue ("person");
objectClass.addValue ("inetorgperson");
objectClass.addValue ("organizationalPerson");
Then your LDAP Connectors must have an attribute called objectclass
with the following assignment: ret.value = objectClass
(To see what kind of attributes the person class has, see http://ldap.hklc.com/objectclass.html?objectclass=person
. You will there see that you must supply a sn and cn attribute in your
update/add Connector)
In the Connector, you will also need the $dn attribute that describes
the builds up the distinguished name, assuming an attribute in the work object
called iuid you will typically have code like
var tuid = work.getString("iuid");
ret.value = "uid= " + tuid + ",ou=people,o=metamerge.com";
Note that the two special attributes $dn and objectclass should
usually not be included in Modification in Update mode unless you want to move
entries in addition to updating them.
Configuration
The Connector needs the following parameters:
Parameter |
Description |
connectorType |
com.architech.connector.rscLdap |
connectorFlags |
Flags to enable specific behaviour. {deleteEmptyStrings}
This flag causes the Connector to remove attributes containing only an
empty string as value before updating the directory. See Notes
for a full explanation. If you are using a LDAP version 3 server, you
should definitely use this flag as the value of an attribute cannot be an
empty sting. |
ldapUrl |
The LDAP URL for the connection. (ldap://host:port) |
ldapUsername |
The distinguished name used for authentication
to the server |
ldapPassword |
The credentials (password) |
ldapAuthenticationMethod |
The authentication method. Possible
values are
CRAM-MD5 - use the CRAM-MD5 (RFC-2195) SASL mechanism
none - use no authentication (anonymous)
simple - use weak authentication (cleartext password)
If not specified default (simple) is used. If ldapUsername and
ldapPassword is blank then anonymous is used. |
ldapSearchBase |
The search base to be used when iterating the
directory. Specify a distinguished name.
Some directories allow you to specify a blank string which defaults to
whatever the server is configured to do. Other directory services require
this to be a valid distinguished name in the directory. |
ldapSearchFilter |
The search filter to be used when iterating the
directory. |
ldapNameParameter |
Specify which parameter in the AssemblyLine entry is used for naming the entry. This is used during add, modify and
delete operations and returned during read, search operations. If not
specified "$DN" is used. |
ldapPump |
Some directories may not allow you to retreive
more than a specific number of entries pr search request called the size
limit. If you are iterating a directory and this size limit is
reached, the Connector will use the first and second character in this
parameter to "pump" the directory service. If this parameter is
specified as "AZ" the Connector will start with "A*"
and repeatedly execute search operations to the directory until all
entries has been returned. The pumping is recursive, so if a search of
"A*" hits the size limit, the Connector will search
"AA*", "AB*" etc until all entries are returned.
If this parameter is blank or not present the Connector will abort on
size limits.
Be careful when using this parameter. Some directory servers are known
to return a size limit after reading all entries from a search so
this method is not bullet proof. The latter may cause the Connector to
read and process entries more than once. |
ldapReturnAttributes 1) |
A comma separated list of attribute names to
return during read/lookup operations. If not specified all attributes are
returned. |
ldapPageSize 1) |
A number.
If specified the LDAP Connector will try to use paged mode search. Paged
mode cause the directory server to return a specific number of entries
(called pages) instead of all entries in one chunk. Not all directory
servers support this option.
Do not specify ldapPump and this parameter at the same time. |
1) Available from version 2000.3.57 and up
- If you cannot connect to your directory, make sure the Use SSL
flag (under Configuration) is set according to what the directory expects
...
- When connectorFlags contains the value {deleteEmptyStrings}
then for each attribute, the LDAP Connector will remove empty string values. This will possibly leave the attribute with no values (i.e. empty value set)
If an attribute has an empty value set then a modify operation will DELETE the attribute from the entry in the directory.
An add operation will never include an empty attribute since this is not "legal".
Else
modify entry will REPLACE the attribute value(s)
- When connectorFlags does NOT contain {deleteEmptyStrings} then
empty strings are passed as legal values to the directory server. Most servers interpret a REPLACE request with an
empty string as the same as removing the attribute altogether.
If you want to control this behaviour yourself you can always call a function in your "Before Update" handler to modify the entry as in:
removeBlanks (work);
function removeBlanks (entry) {
var list = entry.getAttributeNames();
for (i = 0; i < list.lenght; i++) {
if (entry.getString(list[i]) == "") {
entry.removeAttribute (list[i]);
}
}
}
Downloads
Included in base product
See Also
JNDI Connector
|