LDAP

Syntax

search(server, dn, password, searchBase, filter, [attrs], [version=3], [searchScope], [saslMechanism])

Details

The method searches entries within the LDAP server, returning a dictionary with STRING keys and ANY values. Each dictionary key represents an entry's dn. Each dictionary value is a nested dictionary with keys and values both of STRING type, indicating the attributes and their values of the corresponding dn.

Parameters

• server: A STRING scalar indicating the LDAP server address, which must start with "ldap://".
• dn: A STRING scalar indicating the bound account. If authentication is not required, this should be an empty string.
• password: A STRING scalar indicating the password of the bound account. If authentication is not required, this should be an empty string.
• searchBase: A STRING scalar indicating the base for the query.
• filter: A STRING scalar indicating the query filter. If left empty, it queries all entries under the specified searchBase.
• attrs(optional): A STRING vector indicating the attribute field names to be queried. If not empty, only the attributes specified in this vector are queried. Special usage includes:
  • Entering + returns all operational attributes.
  • Entering * returns all user attributes.
  • Using @ filters the output to include only the attributes contained in the specified class.

For detailed descriptions of attrs, please refer to https://docs.ldap.com/ldap-sdk/docs/tool-usages/ldapsearch.html.

• version: A INT scalar indicating the LDAP protocol version. Possible values are 1, 2, or 3 (default).
• searchScope: A STRING scalar indicating the scope of the search. The default is LDAP_SCOPE_SUBTREE. Possible values include:
  • LDAP_SCOPE_BASE: Searches only the specified DN object itself, not including any sub-objects.
  • LDAP_SCOPE_ONELEVEL: Searches first-level sub-objects directly under the specified DN, excluding sub-objects of those sub-objects.
  • LDAP_SCOPE_SUBTREE: Searches all sub-objects and grandchild objects under the specified DN, including sub-objects of those sub-objects.
  • LDAP_SCOPE_SUBORDINATE: Searches only the direct sub-objects under the specified DN, excluding the specified DN itself and any of its grandchild objects.
• saslMechanism: A STRING scalar indicating the Simple Authentication and Security Layer (SASL) encryption method used when binding to the LDAP server. The default value is NULL, and only NULL is supported currently.

Examples

This example demonstrates how to log into an LDAP server located at ldap://localhost using the account cn=admin,dc=sample,dc=com. The query is conducted based on the base dc=sample,dc=com and filters entries that match (cn=admin).

ret = LDAP::search("ldap://localhost","cn=admin,dc=sample,dc=com", "password", "dc=sample,dc=com", "(cn=admin)")

Upload the attached plugin archive to the server and extract it to <DolphinDB_installation_directory>/plugins.

In the Web Interface, set the preloadModules value to plugins::LDAP in both the Controller Config and Nodes Config. If preloadModules has been previously configured, separate the existing values with a comma.

Input parameters:

• username: STRING type.
• password: STRING type.

Return Value：

ANY VECTOR type. The first element is the DolphinDB account username and the second element is the DolphinDB account password.

search method is required to connect to the LDAP Server to obtain the DolphinDB account username and password for login logic.

// Load the LDAP plugin
try { loadPlugin("plugins/LDAP/PluginLDAP.txt") } catch(err) { print(err) }
go

// Define a function with the same first two parameters as the login function
def ldap_login(username, password) {

    // Exclude the super admin account
    if (username == "admin") {
        return [username, password]$ANY
    }

    // Query entry based on input parameters
    ret = LDAP::search("ldap://192.168.100.43","cn=ldapadm,dc=sample,dc=com", password, "dc=sample,dc=com", "(cn=" + username + ")")

    // Find the entry with the same name
    dn = "cn=" + username + ",dc=sample,dc=com"

    // Note: The return value must be a vector of type ANY
    // Set the account's facsimileTelephoneNumber attribute to admin
    // add the telephoneNumber attribute to 123456
    return [ret[dn]["facsimileTelephoneNumber"], ret[dn]["telephoneNumber"]]$ANY
}

// Add the function view
addFunctionView(ldap_login)

Note:

1. This view must be configured to be visible only to the admin account.
2. This view should include logic to exclude users who do not require LDAP authentication (e.g., super admin). For these users, they can directly return the input username and password, or return an empty vector.
3. The dn parameter of the search method should be constructed based on the username input.
4. The password parameter of the search method should be based on the password input.
5. The filter parameter of the search method should use the username input to filter and search for the specific user under the searchBase.
6. The actual password used is the one stored in LDAP. Any fixed value from the LDAP attributes can be used as the DolphinDB password.
7. To create a non-existent user, first log in as the super admin (refer to Note 2), create a new user, and then log in.

Shut down the cluster and modify the thirdPartyAuthenticator value in the controller.cfg file on all controller nodes to the function view ldap_login. For details of thirdPartyAuthenticator, refer to Standalone Mode.

preloadModules=plugins::LDAP
thirdPartyAuthenticator=ldap_login

login("ldapadm", "DolphinDB123@3");