Module ldap
ballerina/ldap Ballerina library
1.1.0
Overview
LDAP (Lightweight Directory Access Protocol) is a vendor-neutral software protocol for accessing and maintaining distributed directory information services. It allows users to locate organizations, individuals, and other resources such as files and devices in a network. LDAP is used in various applications for directory-based authentication and authorization.
The Ballerina LDAP module provides the capability to efficiently connect, authenticate, and interact with directory servers. It allows users to perform operations such as searching for entries, and modifying entries in an LDAP directory, providing better support for directory-based operations.
Client
The ldap:Client connects to a directory server and performs various operations on directories. Currently, it supports the generic LDAP operations; add, modify, modifyDN, compare, search, searchWithType, delete, and close.
Instantiate a new LDAP client
import ballerina/ldap; public function main() returns error? { ldap:Client ldapClient = check new ({ hostName, port, domainName, password }); }
Remote methods in ldap:Client
- add: Creates an entry in a directory server.
- modify: Updates information of an entry in a directory server.
- modifyDN: Renames an entry in a directory server.
- compare: Determines whether a given entry has a specified attribute value.
- search: Returns a record containing search result entries and references that match the given search parameters.
- searchWithType: Returns a list of entries that match the given search parameters.
- delete: Removes an entry from a directory server.
- close: Unbinds from the server and closes the LDAP connection.
Add a new entry in the directory server
Creates an entry in a directory server.
anydata user = { "objectClass": "user", "sn": "New User", "cn": "New User", "givenName": "New User", "displayName": "New User", "userPrincipalName": "newuser@ad.windows", "userAccountControl": "544" }; ldap:LdapResponse addResult = check ldapClient->add("DC=ldap,DC=com", user);
Search for an entry in the directory server
Returns a record containing search result entries and references that match the given search parameters.
ldap:SearchResult searchResult = check ldapClient->search("DC=ldap,DC=com", "(givenName=Test User1)", ldap:SUB);
Modify a new entry in the directory server
Updates information of an entry.
anydata user = { "sn": "User", "givenName": "Updated User", "displayName": "Updated User" }; ldap:LdapResponse modifyResult = check ldapClient->modify("DC=ldap,DC=com", user);
Delete an entry in the directory server
Removes an entry from a directory server.
ldap:LdapResponse deleteResult = check ldapClient->delete("DC=ldap,DC=com");
Examples
The Ballerina Ldap library provides practical examples illustrating usage in various scenarios. Explore these examples.
-
Access directory server This example shows how to integrate with a directory server to manage employees in a corporation.
-
Manage entries in a library This example demonstrates how to integrate with a directory server for managing users and books in a library.
Clients
ldap: Client
Isolated
Consists of APIs to integrate with LDAP.
Constructor
Gets invoked to initialize the LDAP client.
init (*ConnectionConfig config)- config *ConnectionConfig - The configurations to be used when initializing the client
add
Isolated FunctionRemote Function
function add(string dN, Entry entry) returns LdapResponse|ErrorCreates an entry in a directory server.
anydata user = { "objectClass": "user", "sn": "New User", "cn": "New User" }; ldap:LdapResponse result = check ldapClient->add(userDN, user);
Return Type
- LdapResponse|Error - A
ldap:Errorif the operation fails orldap:LdapResponseif successfully created
delete
Isolated FunctionRemote Function
function delete(string dN) returns LdapResponse|ErrorRemoves an entry in a directory server.
ldap:LdapResponse result = check ldapClient->delete(userDN);
Parameters
- dN string - The distinguished name of the entry to remove
Return Type
- LdapResponse|Error - A
ldap:Errorif the operation fails orldap:LdapResponseif successfully removed
modify
Isolated FunctionRemote Function
function modify(string dN, Entry entry) returns LdapResponse|ErrorUpdates information of an entry.
anydata user = { "sn": "User", "givenName": "Updated User", "displayName": "Updated User" }; ldap:LdapResponse result = check ldapClient->modify(userDN, user);
Return Type
- LdapResponse|Error - A
ldap:Errorif the operation fails orLdapResponseif successfully updated
modifyDn
Isolated FunctionRemote Function
function modifyDn(string currentDn, string newRdn, boolean deleteOldRdn) returns LdapResponse|ErrorRenames an entry in a directory server.
ldap:LdapResponse modifyDN = check ldapClient->modifyDn(userDN, "CN=Test User2", true);
Parameters
- currentDn string - The current distinguished name of the entry
- newRdn string - The new relative distinguished name
- deleteOldRdn boolean (default false) - A boolean value to determine whether to delete the old RDN
Return Type
- LdapResponse|Error - A
ldap:Errorif the operation fails orldap:LdapResponseif successfully renamed
compare
Isolated FunctionRemote Function
Determines whether a given entry has a specified attribute value.
boolean compare = check ldapClient->compare(userDN, "givenName", "New User");
Parameters
- dN string - The distinguished name of the entry
- attributeName string - The name of the target attribute for which the comparison is to be performed
- assertionValue string - The assertion value to verify within the entry
Return Type
getEntry
Isolated FunctionRemote Function
Gets information of an entry.
anydata value = check ldapClient->getEntry(userDN);
Parameters
- dN string - The distinguished name of the entry
- targetType typedesc<anydata> (default <>) - Default parameter use to infer the user specified type
Return Type
- targetType|Error - An entry result with the given type or else
ldap:Error
searchWithType
Isolated FunctionRemote Function
function searchWithType(string baseDn, string filter, SearchScope scope, typedesc<record {}[]> targetType) returns targetType|ErrorReturns a list of entries that match the given search parameters.
anydata[] value = check ldapClient->searchWithType("DC=ldap,DC=com", "(givenName=New User)", ldap:SUB);
Parameters
- baseDn string - The base distinguished name of the entry
- filter string - The filter to be used in the search
- scope SearchScope - The scope of the search
- targetType typedesc<record {}[]> (default <>) - Default parameter use to infer the user specified type
Return Type
- targetType|Error - An array of entries with the given type or else
ldap:Error
search
Isolated FunctionRemote Function
function search(string baseDn, string filter, SearchScope scope) returns SearchResult|ErrorReturns a record containing search result entries and references that match the given search parameters.
ldap:SearchResult value = check ldapClient->search("DC=ldap,DC=windows", "(givenName=New User)", ldap:SUB);
Parameters
- baseDn string - The base distinguished name of the entry
- filter string - The filter to be used in the search
- scope SearchScope - The scope of the search
Return Type
- SearchResult|Error - An
ldap:SearchResultif successful, or elseldap:Error
close
Isolated FunctionRemote Function
function close()Unbinds from the server and closes the LDAP connection.
ldapClient->close();
isConnected
Isolated FunctionRemote Function
function isConnected() returns booleanDetermines whether the client is connected to the server.
boolean isConnected = ldapClient->isConnected();
Return Type
- boolean - A boolean value indicating the connection status
Enums
ldap: ObjectClass
Standard values for ObjectClass attribute type.
Members
top
person
organizationalPerson
inetOrgPerson
organizationalRole
groupOfNames
groupOfUniqueNames
country
locality
organization
organizationalUnit
domainComponent
dcObject
ldap: SearchScope
Scope of the search operation.
Members
BASE - Indicates that only the entry specified by the base DN should be considered
ONE - Indicates that only entries that are immediate subordinates of the entry specified by the base DN (but not the base entry itself) should be considered
SUB - Indicates that the base entry itself and any subordinate entries (to any depth) should be considered
SUBORDINATE_SUBTREE - Indicates that any subordinate entries (to any depth) below the entry specified by the base DN should be considered, but the base entry itself should not be considered, as described in draft-sermersheim-ldap-subordinate-scope
ldap: Status
Represents the status of the operation
Members
SUCCESS - The operation was successful
OPERATIONS_ERROR - The operation failed due to an unexpected order relative to other operations on the same connection
PROTOCOL_ERROR - Represents the LDAP protocol error
TIME_LIMIT_EXCEEDED - Represents the time limit exceeded error
SIZE_LIMIT_EXCEEDED - Represents the error for exceeding the upper bound for the number of response entries
COMPARE_FALSE - Entry exists, attribute found, but no matching value
COMPARE_TRUE - Entry exists, attribute found, and matched the provided value
AUTH_METHOD_NOT_SUPPORTED - Represents the error for unsupported or disallowed authentication mechanism
STRONGER_AUTH_REQUIRED - Requires a stronger form of authentication
REFERRAL - The request can't be processed as issued. Try a different server or update the target location in the DIT
ADMIN_LIMIT_EXCEEDED - Administrative limit exceeded
UNAVAILABLE_CRITICAL_EXTENSION - Critical control could not be fulfilled
CONFIDENTIALITY_REQUIRED - The server requires a secure connection to process the requested operation
SASL_BIND_IN_PROGRESS - The server has completed a portion of the processing for the provided SASL bind request,
but that it needs additional information from the client to complete the authentication
NO_SUCH_ATTRIBUTE - Attribute that does not exist in the specified entry
UNDEFINED_ATTRIBUTE_TYPE - The request attempted to provide one or more values for an attribute type that is not defined in the server schema
INAPPROPRIATE_MATCHING - The search request attempted a type of matching that is not supported for the specified attribute type
CONSTRAINT_VIOLATION - The requested operation would have resulted in an entry that violates some constraint defined within the server
ATTRIBUTE_OR_VALUE_EXISTS - The requested operation would have resulted in an attribute in which the same value appeared more than once
INVALID_ATTRIBUTE_SYNTAX - The requested operation would have resulted in an entry that had at least one attribute value
that does not conform to the constraints of the associated attribute syntax.
NO_SUCH_OBJECT - The requested operation targeted an entry that does not exist within the DIT (Directory Information Tree).
ALIAS_PROBLEM - Error occurred while attempting to dereference an alias during search processing
INVALID_DN_SYNTAX - The request included a malformed entry DN
ALIAS_DEREFERENCING_PROBLEM - The server encountered an alias while processing the request and that there was some problem related to that alias.
INAPPROPRIATE_AUTHENTICATION - Attempt to bind in an inappropriate manner that is inappropriate for the target account
INVALID_CREDENTIALS - Attempt to bind with a set of credentials that cannot be used to authenticate
INSUFFICIENT_ACCESS_RIGHTS - Requested operation does not have the necessary access control permissions
BUSY - The requested operation cannot be processed because the server is currently too busy
UNAVAILABLE - The server is currently not available to process the requested operation
UNWILLING_TO_PERFORM - The server is not willing to process the requested operation for some reason
LOOP_DETECT - The server detected some kind of circular reference in the course of processing an operation
NAMING_VIOLATION - The requested operation would have resulted in an entry that violates some naming constraint within the server
OBJECT_CLASS_VIOLATION - The requested operation would have resulted in an entry that has an inappropriate set of object classes,
or whose attributes violate the constraints associated with its set of object classes
NOT_ALLOWED_ON_NON_LEAF - The requested operation is only supported for leaf entries, but the targeted entry has one or more subordinates
NOT_ALLOWED_ON_RDN - the requested modify operation would have resulted in an entry that does not include all of the attributes used in its RDN
ENTRY_ALREADY_EXISTS - The requested operation would have resulted in an entry with the same DN as an entry that already exists in the server
OBJECT_CLASS_MODS_PROHIBITED - The requested modify operation would have altered the target entry’s set of object classes in a way that is not supported
AFFECTS_MULTIPLE_DSAS - The requested operation would have required manipulating information in multiple servers in a way that is not supported
OTHER - Represents other errors.
Records
ldap: ClientSecureSocket
Closed record
Provides configurations for facilitating secure communication with a remote ldap server.
Fields
- enable boolean(default true) - Enable SSL validation
- cert? TrustStore|string - Configurations associated with
crypto:TrustStoreor single certificate file that the client trusts
- verifyHostName boolean(default true) - Enable/disable host name verification
- tlsVersions string[](default []) - The TLS versions to be used
ldap: ConnectionConfig
Closed record
Provides a set of configurations to connect with a directory server.
Fields
- hostName string - The host name of the Active Directory server
- port int - The port of the Active Directory server
- domainName string - The domain name of the Active Directory
- password string - The password of the Active Directory
- clientSecureSocket? ClientSecureSocket - Client secure socket configurations
ldap: Control
Closed record
LDAP control type.
Fields
- oid string - The OID of the control
- isCritical boolean - The criticality of the control
- value string - The value of the control
ldap: DcObject
A record for an entry to contain domain component information
Fields
- dc string - name of the domain component
ldap: Entry
LDAP entry type.
Fields
- AttributeType... - Rest field
ldap: ErrorDetails
Closed record
The error details type for the Ballerina LDAP module.
Fields
- resultCode? string - The status of the error
ldap: LdapResponse
Closed record
LDAP response type.
Fields
- matchedDN string? - The matched DN from the response
- resultCode Status - The operation status of the response
- diagnosticMessage string? - The diagnostic message from the response
- operationType string? - The protocol operation type
- referral string[]? - The referral URIs
ldap: Person
A record for an entry that represents a person.
Fields
- objectClass? string|string[]|ObjectClass|ObjectClass[] - object class of the person
- sn? string - surname of the person
- cn? string - common name of the person
- userPassword? string - password of the person
- telephoneNumber? string - telephone number of the person
ldap: SearchReference
Closed record
LDAP search reference type.
Fields
- messageId int - The message ID
- uris string[] - The referral URIs
- controls Control[] - The controls
ldap: SearchResult
Closed record
LDAP search result type.
Fields
- resultCode Status - The result status of the response
- searchReferences? SearchReference[] - search references
- entries? Entry[] - The entries returned from the search
Errors
ldap: Error
Distinct
Represents any error related to Ballerina LDAP module