Table of content

What is LDAP?

LDAP (Lightweight Directory Access Protocol) is an open protocol used to store and retrieve data from a directory service. Usually, it stores information about the users within an organization in a hierarchical structure.

Here's a sample of an LDAP DIT:

We won't go in depth into technical details about LDAP, we just need to keep in mind some general terminologies that are important to understand while configuring an Elements Connect filed plugged to LDAP datasource.

• DIT (Directory Information Tree): Is the way we represent the data of our directory service (e.g. the tree shown previously in the screenshot).
• DC (Domain Component): It represents the top of the DIT (e.g. dc=planetexpress, dc=com)
• OU (Organizational UnitName): Is an object that organize other objects (or an object that groups users) based on their position, country, business unit, etc... (e.g. ou=people, ou=printers, ou=Developers).
• CN (Common Name): Is the object name (e.g. in case the object is a user, the CN is a user name. In case the object was a department, CN will be the department name).
• DN (Distinguished Name): Is a "string" that identifies an LDAP entry in the the DIT. To write it, we start from the bottom back to the root (e.g. for Amy Wong the DN is "cn=Amy Wong,ou=people,dc=planetexpress, dc=com").
• Attribute: This is where the data is stored in the LDAP (e.g. uid (user id), mail, department, employeeType, etc...)
• Entry: It's a collection of attributes under an entity to describe it and to provide more details about it (e.g. cn=Amy Wong).
• Filter: It is part of the LDAP search query, it will identify (restrict) which part of the DIT we need to search. 

What is an LDAP query?

An LDAP query is a command that asks the directory service for some information about users.

For an Elements Connect field plugged on an LDAP datasource, there's no special syntax (related to Connect) that needs to be followed; the LDAP query just needs to be valid.

Here's an example of an Elements Connect field connected to LDAP datasource:

And here's the LDAP query:

ou=people,dc=planetexpress,dc=com?uid,cn?sub?(objectClass=person)

• The first part "ou=people, dc=planetexpress, dc=com" is the DN and it specifies which part of the DIT the Connect field will query.
• When placing a question mark ? that means list of parameters will be mentioned.
• This query will return two attributes: uid (at position 0) and cn (at position 1).
  The field Key is set to 0 (uid attribute) and the Template is set on 1 (cn attribute).
• sub is an option which determines the search scope. When specified, the query will retrieve informations (attributes) about entires at all levels below the DN
• What is in parentheses (objectClass=person) is the filter and it will help us to add more context to our query to filter the retrieved data and get only entries where objectClass equals to "person".

The LDAP filter has usually the below syntax:

<Attribute><comparison operator><value>

Filter Operators

Comparison Operators

When we need more than one search condition (more than one filter); filters can combined using the boolean (logical) operators.

Boolean Operators

The boolean operators are always placed in front of the filter.

The search filter must be put in parentheses. If more than one filter are combined with boolean operation, then each filter is put in parentheses, and the whole term has to be in parentheses as well.

Special characters

If we need to search an attribute where the value includes a special character (*,(,),\,...), that character must be escaped by using the below format:

\code

Where the code is the 2 hexadecimal characters that represent the ASCII character.

Examples

Given the below LDAP structure:

Here are some examples on valid LDAP queries to be used in an Elements Connect field:

ou=people,dc=planetexpress,dc=com?uid,cn?sub?(cn=h*)

ou=people,dc=planetexpress,dc=com?uid,cn?sub?(CN=H*)

Do you still need support?

For more complicated queries, it's always recommended to check with the LDAP administrator.