cfldap

Description

Provides an interface to a Lightweight Directory Access Protocol (LDAP) directory server, such as the Netscape Directory Server.

Syntax

<cfldap  
    action = "action" 
    server = "server name" 
    attributes = "attribute, attribute" 
    delimiter = "delimiter character" 
    dn = "distinguished name" 
    filter = "filter" 
    maxRows = "number" 
    modifyType = "replace|add|delete" 
    name = "name" 
    password = "password" 
    port = "port number" 
    rebind = "yes|no" 
    referral = "number of allowed hops" 
    returnAsBinary = "column name, column name" 
    scope = "scope" 
    secure = "multifield security string" 
    separator = "separator character" 
    sort = "attribute[, attribute]..." 
    sortControl = "nocase|desc|asc" 
    start = "distinguished name" 
    startRow = "row number" 
    timeout = "milliseconds" 
    username = "user name">
Note: You can specify this tag’s attributes in an attributeCollection attribute whose value is a structure. Specify the structure name in the attributeCollection attribute and use the tag’s attribute names as structure keys.

See also

cfftp, cfhttp, cfmail, cfmailparam, cfpop,Managing LDAP Directories in the Developing ColdFusion Applications

History

ColdFusion 8: Added the ability to use a comma as a delimiter when specifying a list of variables in the returnAsBinary attribute, for example, returnAsBinary="objectGUID,objectSID". Previously, the allowed delimiter was a space.

ColdFusion MX 7: Added the returnAsBinary attribute. Added SSL V2 client based authentication; this means that ColdFusion supports the CFSSL_CLIENT_AUTH option. If CFSSL_CLIENT_AUTH is selected, ColdFusion assumes that the first certificate in the cacerts (or the certificate database) contains the Client Certificate.

ColdFusion MX:

  • Changed the name attribute behavior: this tag validates the query name in the name attribute.

  • Changed sorting behavior: this tag does not support client-side sorting of query results. (It supports server-side sorting; use the sort and sortcontrol attributes.)

  • Changed how results are sorted: server-side sorting results might be sorted slightly differently than in ColdFusion 5. If you attempt a sort against a server that does not support it, ColdFusion MX throws an error.

  • Deprecated the filterConfig and filterFile attributes. They might not work, and might cause an error, in later releases.

Attributes

Attribute

Req/Opt

Default

Description

action

Required

query

  • query: returns LDAP entry information only. Requires name, start, and attributes attributes.

  • add: adds LDAP entries to LDAP server. Requires attributes attribute.

  • modify: modifies LDAP entries, except distinguished name dn attribute, on LDAP server. Requires dn. See modifyType attribute.

  • modifyDN: modifies distinguished name attribute for LDAP entries on LDAP server. Requires dn.

  • delete: deletes LDAP entries on an LDAP server. Requires dn.

server

Required

Host name or IP address of LDAP server.

attributes

Required if action="Query", "Add", "ModifyDN", or "Modify"

For queries: comma-delimited list of attributes to return. For queries, to get all attributes, specify "*".

If action="add"or"modify", you can specify a list of update columns. Separate attributes with a semicolon.

If action="ModifyDN", ColdFusion passes attributes to the LDAP server without syntax checking.

delimiter

Optional

; (semicolon)

Separator between attribute name-value pairs. Use this attribute if either of these situations exist:

  • The attributes attribute specifies more than one item.

  • An attribute contains the default delimiter (semicolon), for example: mgrpmsgrejecttext;lang-en

Used by query, add, and modify actions, and by cfldap to output multi-value attributes.

For example, if $ (dollar sign), you could specify "cn=DoubleTreeInn$street=1111Elm;Suite100, where the semicolon is part of the street value.

dn

Required if action="Add","Modify", "ModifyDN", or "delete"

Distinguished name, for update action, for example, "cn=BobJensen,o=AceIndustry,c=US"

filter

Optional

"objectclass = *"

Search criteria for action="query".

List attributes in the form: "(attributeoperatorvalue)" For example: "(sn=Smith)"

maxRows

Optional

Maximum number of entries for LDAP queries.

modifyType

Optional

replace

How to process an attribute in a multi-value list:

  • add: appends it to any attributes.

  • delete: deletes it from the set of attributes.

  • replace: replaces it with specified attributes.

You cannot add an attribute that is already present or that is empty.

name

Required if action="Query"

Name of LDAP query. The tag validates the value.

password

Required if secure="CFSSL_BASIC"

Password that corresponds to user name.

If secure ="CFSSL_BASIC", V2 encrypts the password before transmission.

port

Optional

389

Port.

rebind

Optional

no

  • yes: attempts to rebind referral callback and reissue query by referred address using original credentials.

  • no: referred connections are anonymous.

referral

Optional

Integer. Number of hops allowed in a referral. A value of 0 disables referred addresses for LDAP; no data is returned.

returnAsBinary

Optional

A space-delimited list of columns that are to be returned as binary values.

scope

Optional

oneLevel

Scope of search, from entry specified in start attribute for action="Query".

  • oneLevel: entries one level below entry.

  • base: only the entry.

  • subtree: entry and all levels below it.

secure

Optional

Security to employ, and required information. If you specify this attribute, its value must be CFSSL_BASIC, which provides V2 SSL encryption and server authentication.

separator

Optional

, (comma)

Delimiter to separate attribute values of multi-value attributes. Used by query, add, and modify actions, and by cfldap to output multi-value attributes.

For example, if $ (dollar sign), the attributes attribute could be "objectclass=top$person", where the first value of objectclass is top, and the second value is person. This avoids confusion if values include commas.

sort

Optional

Attributes by which to sort query results. Use a comma delimiter.

sortControl

Optional

asc

  • nocase: case-insensitive sort.

  • asc: ascending (a to z) case-sensitive sort.

  • desc: descending (z to a) case-sensitive sort.

You can enter a combination of sort types; for example, sortControl="nocase,asc".

start

Required if action="Query"

Distinguished name of entry to be used to start a search.

startRow

Optional

1

Used with action="query". First row of LDAP query to insert into a ColdFusion query.

timeout

Optional

60000

Maximum length of time, in milliseconds, to wait for LDAP processing.

username

Required if secure="CFSSL_BASIC"

(anonymous)

User ID.

Usage

If you use the query action, cfldap creates a query object, allowing access to information in the query variables, as follows:

Variable name

Description

queryname.recordCount

Number of records returned by query

queryname.currentRow

Current row of query that cfoutput is processing

queryname.columnList

Column names in query

If you use the security="CFSSL_BASIC" option, ColdFusion determines whether to trust the server by comparing the server’s certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion. The ColdFusion default cacerts file contains information about many certificate granting authorities. If you must update the file with additional information, you can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For example, enter the following:

keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq

Then restart ColdFusion. The keytool utility initial keypass password is “change it”. For more information on using the keytool utility, see the Sun JDK documentation.

Characters that are illegal in ColdFusion can be used in LDAP attribute names. As a result, the cfldap tag could create columns in the query result set whose names contain illegal characters and are, therefore, inaccessible in CFML. In ColdFusion, illegal characters are automatically mapped to the underscore character; therefore, column names in the query result set might not exactly match the names of the LDAP attributes.

For usage examples, see the Developing ColdFusion Applications.

Example

<h3>cfldap Example</h3> 
<p>Provides an interface to LDAP directory servers. The example uses the  
University of Connecticut public LDAP server. For more public LDAP servers, 
see <a href="http://www.emailman.com">http://www.emailman.com</a>.</p> 
<p>Enter a name and search the public LDAP resource.  
An asterisk before or after the name acts as a wildcard.</p> 
<!--- If form.name exists, the form was submitted; run the query. ---> 
<cfif IsDefined("form.name")> 
    <!--- Check to see that there is a name listed. ---> 
    <cfif form.name is not ""> 
        <!--- Make the LDAP query. ---> 
        <cfldap  
             server = "ldap.uconn.edu" 
             action = "query" 
             name = "results" 
             start = "dc=uconn,dc=edu" 
             filter = "cn=#name#" 
             attributes = "cn,o,title,mail,telephonenumber" 
             sort = "cn ASC"> 
        <!--- Display results. ---> 
        <center> 
        <table border = 0 cellspacing = 2 cellpadding = 2> 
            <tr> 
                <th colspan = 5> 
                    <cfoutput>#results.recordCount# matches found </cfoutput></TH> 
            </tr> 
            <tr> 
                <th><font size = "-2">Name</font></TH> 
                <th><font size = "-2">Organization</font></TH> 
                <th><font size = "-2">Title</font></TH> 
                <th><font size = "-2">E-Mail</font></TH> 
                <th><font size = "-2">Phone</font></TH> 
            </tr> 
            <cfoutput query = "results"> 
                <tr> 
                    <td><font size = "-2">#cn#</font></td> 
                    <td><font size = "-2">#o#</font></td> 
                    <td><font size = "-2">#title#</font></td> 
                    <td><font size = "-2"> 
                        <A href = "mailto:#mail#">#mail#</A></font></td> 
                    <td><font size = "-2">#telephonenumber#</font></td> 
                </tr> 
            </cfoutput> 
            </table> 
            </center> 
        </cfif> 
</cfif> 
 
<form action="#cgi.script_name#" method="POST"> 
    <p>Enter a name to search in the database.</p> 
    <input type="Text" name="name"> 
    <input type="Submit" value="Search" name=""> 
</form>