Orbeon Forms User Guide

LDAP Processor

1. Introduction

The LDAP Processor allows Orbeon Forms to query an LDAP directory server. The LDAP processor uses the Java Naming and Directory Interface (JNDI) and should work with all compatible servers. However, it has only been tested with Sun ONE Directory Server and Open LDAP.

2. Usage

You instantiate the LDAP Processor with the processor URI oxf/processor/ldap. The Processor takes two inputs, config and filter, and one output, data.

2.1. Configuration

The configuration of the LDAP Processor can be done in two ways: either system-wide via the Properties, or locally for a specific instance of the processor through the config input. The local configuration takes precedence if available.

Note

The root-dn and attribute configuration elements cannot be specified system-wide.

2.1.1. config Input

The config input document specifies the host name and port number of the LDAP server, as well as the credentials to use when connecting. The following table describes the configuration elements.

Name Description
host LDAP Server Host
port LDAP Server Port Number
protocol Protocol to connect to the server, eg. SSL
bind-dn Distinguished Name to authenticate with the server
password Password to authenticate with the server
root-dn Root DN to bind to.
attribute LDAP attributes to include in the LDAP response. If no attribute is specified, all returned attributes are included.

This RelaxNG schema describes the expected document.

<element name="config" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns="http://relaxng.org/ns/structure/1.0"><interleave><optional><element name="host"><data type="string"/></element></optional><optional><element name="port"><data type="integer"/></element></optional><optional><element name="bind-dn"><data type="string"/></element></optional><optional><element name="password"><data type="string"/></element></optional><element name="root-dn"><data type="string"/></element><optional><element name="protocol"><data type="string"/></element></optional><zeroOrMore><element name="attribute"><data type="string"/></element></zeroOrMore></interleave></element>

2.1.2. System-Wide Configuration

The LDAP Processor can be configured through the Properties, allowing all instances to share the same configuration. The following properties are allowed:

Name Description
oxf.processor.ldap.host LDAP Server Host
oxf.processor.ldap.port LDAP Server Port Number
oxf.processor.ldap.protocol Protocol to connect to the server, eg. SSL
oxf.processor.ldap.bind-dn Distinguished Name to authenticate with the server
oxf.processor.ldap.password Password to authenticate with the server

2.2. Query

The filter input takes the LDAP query sent to the server. The single filter element contains a query string that follows the standard LDAP filter syntax specified in RFC 2254.

<element name="filter" datatypeLibrary="http://www.w3.org/2001/XMLSchema-datatypes" xmlns="http://relaxng.org/ns/structure/1.0"><data type="string"/></element>

2.3. Response

The LDAP processor outputs the query results in its data output. The resulting document looks like the example below:

<results><result><name>cn=John Smith</name><attribute><name>sn</name><value>Smith</value></attribute>[...]</result>[...]</results>

3. Example

The following example shows a basic LDAP query. The LDAP Processor connects to an LDAP server on the same machine using the administrator account to log in. It then queries the server for objects containing a uid attribute with the 12345 value. Only the cn and description attributes are returned.

<p:processor name="oxf:ldap"><p:input name="config"><config><host>localhost</host><port>389</port><bind-dn>cn=Directory Manager</bind-dn><password>abcdef</password><root-dn>o=Company.com</root-dn><attribute>cn</attribute><attribute>description</attribute></config></p:input><p:input name="filter"><filter>(uid=12345)</filter></p:input><p:output name="data" id="ldap-results"/></p:processor>