cfldap

<cfldap 
   server = "server_name"
   port = "port_number"
   username = "name"
   password = "password"
   action = "action"
   name = "name"
   timeout = "seconds"
   maxRows = "number"
   start = "distinguished_name"
   scope = "scope"
   attributes = "attribute, attribute"
   filter = "filter"
   sort = "attribute[, attribute]..."
   sortControl = "nocase" and/or "desc" or "asc"
   dn = "distinguished_name"
   startRow = "row_number"
   modifyType = "replace" or "add" or "delete"
   rebind = "Yes" or "No"
   referral = "number_of_allowed_hops"
   secure = "multi_field_security_string"
   separator = "separator_character"
   delimiter = "delimiter_character">

keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq

<h3>cfldap Example</h3>
<p>Provides an interface to LDAP directory servers. The example uses the 
University of Connecticut public LDAP server. For more public LDAP servers,
see <a href="http://www.emailman.com">http://www.emailman.com</a>.</p>
<p>Enter a name and search the public LDAP resource. 
An asterisk before or after the name acts as a wildcard.</p>
<!--- If form.name exists, the form was submitted; run the query --->
<cfif IsDefined("form.name")>
   <!--- check to see that there is a name listed --->
   <cfif form.name is not "">
      <!--- make the LDAP query --->
      <cfldap 
          server = "ldap.uconn.edu"
          action = "query"
          name = "results"
          start = "dc=uconn,dc=edu"
          filter = "cn=#name#"
          attributes = "cn,o,title,mail,telephonenumber"
          sort = "cn ASC">
      <!--- Display results --->
      <center>
      <table border = 0 cellspacing = 2 cellpadding = 2>
         <tr>
            <th colspan = 5>
               <cfoutput>#results.recordCount# matches found
               </cfoutput></TH>
         </tr>
         <tr>
            <th><font size = "-2">Name</font></TH>
            <th><font size = "-2">Organization</font></TH>
            <th><font size = "-2">Title</font></TH>
            <th><font size = "-2">E-Mail</font></TH>
            <th><font size = "-2">Phone</font></TH>
         </tr>
         <cfoutput query = "results">
            <tr>
               <td><font size = "-2">#cn#</font></td>
               <td><font size = "-2">#o#</font></td>
               <td><font size = "-2">#title#</font></td>
               <td><font size = "-2">
                  <A href = "mailto:#mail#">#mail#</A></font></td>
               <td><font size = "-2">#telephonenumber#</font></td>
            </tr>
         </cfoutput>
         </table>
         </center>
      </cfif>
</cfif>

<form action="#cgi.script_name#" method="POST">
<p>Enter a name to search in the database.
<p>
<input type="Text" name="name">
<input type="Submit" value="Search" name="">
</form>

Comments

flappie said on Feb 16, 2004 at 3:53 AM :

the attribute action is not optional in MX 6.1. If ommited you get a nullpointer exception

clomvardias said on Apr 21, 2004 at 9:29 AM :

Why do I get this error when I try to use the "sort" attribute?

An error has occured while trying to execute sort :[LDAP: error code 12 - Unavailable Critical Extension].

GAlanShepherd said on Apr 22, 2004 at 8:30 AM :

The unavailable critical extension error appears because you have asked the server to sort the entries (cold fusion MX dropped client side sorting - why?) and marked it as a mandatory critical extension in the protocol. The server has responded saying that it does not support that extension (sorting presumably) and so the operation fails. It is possible that there is another critical extension it is not doing, but the sort is the most likely cause.

GAlanShepherd said on Apr 22, 2004 at 8:33 AM :

Why is the documentation for this tag so limited? Why is it not possible to obtain information on such things as size limit exceeded, partial result qualifiers etc?

And most irritatingly of all, cfldap appears to prepend ldap://server:389/ to the DNs of all entries returned that are a result of an alias dereferenced. If I try to use this in a subsequent operation as the DN, I get server unavailable. IT IS NOT USEFUL to do this! There should be an other flag indicating alias dereferenced.

GAlanShepherd said on Apr 22, 2004 at 9:57 AM :

why cant I specify the LDAP version? What if I want to use version 2?

halL said on Apr 22, 2004 at 10:17 AM :

We've entered a bug/enhancement report 55206 for GAlanShepherd's requests for changes to LDAP.
They are listed as:
1) Provide ColdFusion-side sorting of results (as was done in CF5)
2) Provide a flag indicating that an alias was dereferenced.
3) Provide a way to specify/use LDAP version 2.

Re documentation, we have a full chapter on using LDAP in the Developing ColdFusion MX Applications document, at http://livedocs.macromedia.com/coldfusion/6.1/htmldocs/ldap.htm.
However, this may not provide all the information that you'd like to see.
If there are any specifics that aren't covered either here or in the Developing Applications chapter, please post additional Livedocs comments specifying what more you want covered.

GAlanShepherd said on Apr 22, 2004 at 2:26 PM :

It appears that a time limit exceeded error is no longer being picked up and thrown as an exception. I have the following:

<cftry>
<cfldap separator="|" name="#ldap_name#" action="#ldap_action#" scope="#ldap_scope#" start="#ldap_start#" filter="#ldap_filter#"
server="#ldap_server#" username="#ldap_user#" password="#ldap_pword#" maxrows="#ldap_maxrows#" attributes="#ldap_attributes#" referral="2"
rebind="yes" timeout="#ldap_timeout#">

<cfcatch type="any">
<CFDUMP var="#cfcatch#"><cfabort>
</cfcatch>
</cftry>

and according to the protocol log from the LDAP server, it is sending

messageID 3,
protocolOp {
result Code {
resultCode timeLimitExceeded,
matchedDN "",
errorMessage "",
}
}

This may be because the LDAP server is v2 and the error structure is subtly different than what cold fusion is expecting as it assumes version 3 servers.

GAlanShepherd said on Apr 23, 2004 at 6:19 AM :

Setting any value for timeout seems to cause the timeout value to be set to 1, rather than the value you set. If timeout is not specified, the value is set to 61, not 60.

I am using an LDAP v2 server and there is a v3 bind that fails before a successful v2 bind (why this inefficiency? I want to be able to specify v2!).

GAlanShepherd said on Apr 29, 2004 at 11:40 AM :

The documentation does not specify how to set LDAP service controls such as telling the server not to search aliases. Where can I find this information?

derrickrapley said on Jul 21, 2004 at 1:52 PM :

If you want to sort: The recordset from LDAP is returned as a query object. You can perform a query of queries on it.

jem_b said on Aug 12, 2004 at 11:25 AM :

I am unable to figure out how to retrieve all values of a multi-valued binary attribute, based on this documentation.

msoultan said on Aug 20, 2004 at 3:58 PM :

For some odd reason, when I submit the following query, coldfusion also asks for additional attributes. See below:

<cfldap action="query"
name="qCheckUsername"
server="#server#"
port="389"
attributes="uid"
maxrows="100"
start="cn=People,ou=school,dc=edu"
scope="subtree"
filter="(uid=23423423)"
username="uid=serviceaccount,cn=people,ou=school,dc=edu"
password="password">

When I look at the logs on the iPlanet LDAP server, the query is requesting a bunch of attributes in addition to uid: attrs="uid objectClass javaSerializedData javaClassName javaFactory javaCodebase javaReferenceAddress javaClassNames javaremotelocation"

I don't want coldfusion to ask for all these extra attributes. I only want it to ask "uid" and that's it. This will definately cause people problems if their admins are very tight on their LDAP security (like mine).

I also have not found any documentation regarding this behavior.

John Pickard said on Oct 8, 2004 at 9:33 AM :

Performing an LDAP query on a LDAP server to bring back all users belonging to a subtree is limited to 100 returned results e.g. 150 users may actually exist but ColdFusion will only return the first 100.

Josho said on Oct 15, 2004 at 10:38 AM :

Be careful that this max record limit isn't set on your server. If your server has a max record limit of 100, setting the max to 150 on your request won't change the server's setting.

D-Spair said on Oct 20, 2004 at 5:32 PM :

The <cfldap> doesn't seem to handle SSL gracefully. We have a self-signed certificate which doesn't seem to get accepted. Either that, or it doesn't handle TLS, which is the default encryption method for our server.

adrapley said on Nov 12, 2004 at 6:15 AM :

Is anyone aware that when you quey an ldap for multiple records in an OU, the first row in the result set is typically a row of empty values? At least this is my experience with Novell eDirectory.

einfo said on Nov 30, 2004 at 1:46 PM :

Are others having this same problem with cfldap not picking up time limit exceeded errors?

J.C. said on Dec 1, 2004 at 1:52 PM :

You know, I see more than enough info on how to query LDAP servers until the cows come home. Updating attributes is no problem. I'd really like to ADD a new user to AD or move a user from one container to another or maybe add a brand new group to AD. Anyone ever done that?? There's absolutely nothing about it out there. Try adding anything and it complains about required attributes. Go to Microsoft, and you can find required attributes. Go back to CFLDAP, add the required attributes...notta. Is this even possible??

Thanks!

Zeke_the_Web_Guru said on Oct 7, 2005 at 8:52 AM :

LDAP: error code 34 - Invalid DN Syntax

Solution found at http://groups.google.com/group/macromedia.coldfusion.security/browse_thread/thread/46aef1c75e4e781b/36aac02d2ae3ebe4%2336aac02d2ae3ebe4?sa=X&oi=groupsr&start=0&num=2

The invalid DN syntax is probably for the username parameter. You need to bind as a fully qualified DN. So change your username parameter to something like cn=username,ou=my group,dc=mycomany,dc=com.

Zeke_the_Web_Guru said on Oct 7, 2005 at 8:53 AM :

CFLDAP Sorting Problem

Solution found at http://www.dantor.com/support/cfdocs/Migrating_ColdFusion_5_Applications/cf_migration_guide6.html

You can no longer sort CFLDAP query results on the client side using the sort attribute. The sort attribute triggers a server-side sort. If the LDAP server does not support server-side sorting, CFLDAP throws an error.

The sort order depends on the LDAP server; for example, iPlanet Directory Server 5.0, Novell 6.0 server, Oracle Internet Directory 9i, Microsoft Active Directory, and others might each sort differently.

To do client-side sorting on the CFLDAP query results, use the ColdFusion Query of Queries feature.

joef163 said on Jul 6, 2006 at 7:55 AM :

The documentation provided at the top of the page has some error that I don't see corrected in any comments (although another technote on this issue has the correct information). Specifically, the default password is changeit (all one word). Secondly, you need to use the -storepass flag and not the -keypass flag.

Kingsler34 said on Jul 31, 2006 at 7:26 AM :

I was also having the same problems with cfldap not returning the "limit exceeded" errors. The ldap server had a limit set at 25 results...so if cfldap would return 26 or more, it would just return with no results instead of throwing the correct "administrative limit exceeded" error.

This seemed to only happen for me when I search for specific attributes. For example if your cfldap "attribute" value is set to anything but "*" it will NOT return the "administrative limit exceeded" error. Howeverm if you do the same search again, but this time with "attribute=*" then, you will recieve the correct error. Hope that helps!