LDAP
The Lightweight Directory Access Protocol (LDAP) is a software protocol that enables anyone to locate data about organizations, individuals, and other resources within a network, either on the public internet or company intranet. LDAP is commonly used to store usernames and passwords for authentication services. DolphinDB offers an LDAP plugin designed to search for entry information within an LDAP server, enabling third-party LDAP authentication logins in DolphinDB.
Installation (with installPlugin
)
Required server version: DolphinDB 2.00.10 or higher
Supported OS: Linux x86-64.
Installation Steps:
(1) Use listRemotePlugins to check plugin information in the plugin repository.
Note: For plugins not included in the provided list, you can install through precompiled binaries or compile from source. These files can be accessed from our GitHub repository by switching to the appropriate version branch.
login("admin", "123456")
listRemotePlugins(, "http://plugins.dolphindb.com/plugins/")
(2) Invoke installPlugin for plugin installation.
installPlugin("LDAP")
(3) Use loadPlugin to load the plugin before using the plugin methods.
loadPlugin("LDAP")
Method References
search
Syntax
search(server, dn, password, searchBase, filter, [attrs], [version=3], [searchScope], [saslMechanism])
Details
The method searches entries within the LDAP server, returning a dictionary with STRING keys and ANY values. Each dictionary key represents an entry's dn. Each dictionary value is a nested dictionary with keys and values both of STRING type, indicating the attributes and their values of the corresponding dn.
Parameters
- server: A STRING scalar indicating the LDAP server address, which must start with "ldap://".
- dn: A STRING scalar indicating the bound account. If authentication is not required, this should be an empty string.
- password: A STRING scalar indicating the password of the bound account. If authentication is not required, this should be an empty string.
- searchBase: A STRING scalar indicating the base for the query.
- filter: A STRING scalar indicating the query filter. If left empty, it queries all entries under the specified searchBase.
- attrs(optional): A STRING vector indicating the attribute field names to be queried. If not empty, only the attributes specified in this vector are queried. Special usage includes:
- Entering + returns all operational attributes.
- Entering * returns all user attributes.
- Using @ filters the output to include only the attributes contained in the specified class.
For detailed descriptions of attrs, please refer to https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html.
- version: A INT scalar indicating the LDAP protocol version. Possible values are 1, 2, or 3 (default).
- searchScope: A STRING scalar indicating the scope of the search. The default is LDAP_SCOPE_SUBTREE. Possible values include:
- LDAP_SCOPE_BASE: Searches only the specified DN object itself, not including any sub-objects.
- LDAP_SCOPE_ONELEVEL: Searches first-level sub-objects directly under the specified DN, excluding sub-objects of those sub-objects.
- LDAP_SCOPE_SUBTREE: Searches all sub-objects and grandchild objects under the specified DN, including sub-objects of those sub-objects.
- LDAP_SCOPE_SUBORDINATE: Searches only the direct sub-objects under the specified DN, excluding the specified DN itself and any of its grandchild objects.
- saslMechanism: A STRING scalar indicating the Simple Authentication and Security Layer (SASL) encryption method used when binding to the LDAP server. The default value is NULL, and only NULL is supported currently.
Examples
This example demonstrates how to log into an LDAP server located at ldap://localhost using the account cn=admin,dc=sample,dc=com. The query is conducted based on the base dc=sample,dc=com and filters entries that match (cn=admin).
ret = LDAP::search("ldap://localhost","cn=admin,dc=sample,dc=com", "password", "dc=sample,dc=com", "(cn=admin)")
Configuration Instructions
1. Upload the plugin and configure it to load on startup
Upload the attached plugin archive to the server and extract it to <DolphinDB_installation_directory>/plugins.
In the Web Interface, set the preloadModules value to plugins::LDAP in both the Controller Config and Nodes Config. If preloadModules has been previously configured, separate the existing values with a comma.
2. Restart the cluster and define the login function view
Input parameters:
- username: STRING type.
- password: STRING type.
Return Value:
ANY VECTOR type. The first element is the DolphinDB account username and the second element is the DolphinDB account password.
search method is required to connect to the LDAP Server to obtain the DolphinDB account username and password for login logic.
// Load the LDAP plugin
try { loadPlugin("plugins/LDAP/PluginLDAP.txt") } catch(err) { print(err) }
go
// Define a function with the same first two parameters as the login function
def ldap_login(username, password) {
// Exclude the super admin account
if (username == "admin") {
return [username, password]$ANY
}
// Query entry based on input parameters
ret = LDAP::search("ldap://192.168.100.43","cn=ldapadm,dc=sample,dc=com", password, "dc=sample,dc=com", "(cn=" + username + ")")
// Find the entry with the same name
dn = "cn=" + username + ",dc=sample,dc=com"
// Note: The return value must be a vector of type ANY
// Set the account's facsimileTelephoneNumber attribute to admin
// add the telephoneNumber attribute to 123456
return [ret[dn]["facsimileTelephoneNumber"], ret[dn]["telephoneNumber"]]$ANY
}
// Add the function view
addFunctionView(ldap_login)
Note:
- This view must be configured to be visible only to the admin account.
- This view should include logic to exclude users who do not require LDAP authentication (e.g., super admin). For these users, they can directly return the input username and password, or return an empty vector.
- The dn parameter of the search method should be constructed based on the username input.
- The password parameter of the search method should be based on the password input.
- The filter parameter of the search method should use the username input to filter and search for the specific user under the searchBase.
- The actual password used is the one stored in LDAP. Any fixed value from the LDAP attributes can be used as the DolphinDB password.
- To create a non-existent user, first log in as the super admin (refer to Note 2), create a new user, and then log in.
3. Configure LDAP authentication on controller nodes
Shut down the cluster and modify the thirdPartyAuthenticator value in the controller.cfg file on all controller nodes to the function view ldap_login. For details of thirdPartyAuthenticator, refer to Reference.
preloadModules=plugins::LDAP
thirdPartyAuthenticator=ldap_login
4. Restart the cluster and log in with LDAP account
login("ldapadm", "DolphinDB123@3");