View comments | RSS feed

cfldap

Description

Provides an interface to a Lightweight Directory Access Protocol (LDAP) directory server, such as the Netscape Directory Server.

Category

Internet Protocol tags

Syntax

<cfldap 
   server = "server_name"
   port = "port_number"
   username = "name"
   password = "password"
   action = "action"
   name = "name"
   timeout = "milliseconds"
   maxRows = "number"
   start = "distinguished_name"
   scope = "scope"
   attributes = "attribute, attribute"
returnAsBinary = "column_name, column_name"
   filter = "filter"
   sort = "attribute[, attribute]..."
   sortControl = "nocase" and/or "desc" or "asc"
   dn = "distinguished_name"
   startRow = "row_number"
   modifyType = "replace" or "add" or "delete"
   rebind = "yes" or "no"
   referral = "number_of_allowed_hops"
   secure = "multi_field_security_string"
   separator = "separator_character"
   delimiter = "delimiter_character">

See also

cfftp, cfhttp, cfmail, cfmailparam, cfpop, Managing LDAP Directories in ColdFusion MX Developer's Guide

History

ColdFusion MX 7: Added the returnAsBinary attribute. Added SSL V3 client based authentication; this means that ColdFusion supports the CFSSL_CLIENT_AUTH option.If CFSSL_CLIENT_AUTH is selected, ColdFusion assumes that the first certificate in the cacerts (or the certificate database) contains the Client Certificate.

ColdFusion MX:

Attributes

Attribute Req/Opt Default Description

server

Required

 

Host name or IP address of LDAP server.

port

Optional

389

Port.

username

Required if secure = "CFSSL_BASIC"

(anonymous)

User ID.

password

Required if secure = "CFSSL_BASIC"

 

Password that corresponds to user name.

If secure = "CFSSL_BASIC", V2 encrypts the password before transmission.

action

Required

query
  • query: returns LDAP entry information only. Requires name, start, and attributes attributes.
  • add: adds LDAP entries to LDAP server. Requires attributes attribute.
  • modify: modifies LDAP entries, except distinguished name dn attribute, on LDAP server. Requires dn. See modifyType attribute.
  • modifyDN: modifies distinguished name attribute for LDAP entries on LDAP server. Requires dn.
  • delete: deletes LDAP entries on an LDAP server. Requires dn.

name

Required if action = "Query"

 

Name of LDAP query. The tag validates the value.

timeout

Optional

60000

Maximum length of time, in milliseconds, to wait for LDAP processing.

maxRows

Optional

 

Maximum number of entries for LDAP queries.

start

Required if action = "Query"

 

Distinguished name of entry to be used to start a search.

scope

Optional

oneLevel

Scope of search, from entry specified in start attribute for action = "Query".

  • oneLevel: entries one level below entry.
  • base: only the entry.
  • subtree: entry and all levels below it.

attributes

Required if action = "Query", "Add", "ModifyDN", or "Modify"

 

For queries: comma-delimited list of attributes to return. For queries, to get all attributes, specify "*".

If action = "add" or "modify", you can specify a list of update columns. Separate attributes with a semicolon.

If action = "ModifyDN", ColdFusion passes attributes to the LDAP server without syntax checking.

returnAsBinary

Optional

 

A comma-delimited list of columns that are to be returned as binary values.

filter

Optional

"objectclass = *"

Search criteria for action = "query".

List attributes in the form:
"(attribute operator value)"
For example: "(sn = Smith)"

sort

Optional

 

Attribute(s) by which to sort query results. Use a comma delimiter.

sortControl

Optional

asc
  • nocase: case-insensitive sort.
  • asc: ascending (a to z) case-sensitive sort.
  • desc: descending (z to a) case-sensitive sort.

You can enter a combination of sort types; for example, sortControl = "nocase, asc".

dn

Required if action = "Add", "Modify", "ModifyDN", or "delete"

 

Distinguished name, for update action; for example, "cn = Bob Jensen, o = Ace Industry,
c = US"

startRow

Optional

Used with action = "query". First row of LDAP query to insert into a ColdFusion query.

modifyType

Optional

replace

How to process an attribute in a multi-value list:

  • add: appends it to any attributes.
  • delete: deletes it from the set of attributes.
  • replace: replaces it with specified attributes.

You cannot add an attribute that is already present or that is empty.

rebind

Optional

no

  • yes: attempts to rebind referral callback and reissue query by referred address using original credentials.
  • no: referred connections are anonymous.

referral

Optional

 

Integer. Number of hops allowed in a referral. A value of 0 disables referred addresses for LDAP; no data is returned.

secure

Optional

 

Security to employ, and required information. One option:

  • CFSSL_BASIC

"CFSSL_BASIC" provides V2 SSL encryption
and server authentication.

separator

Optional

, [comma]

Delimiter to separate attribute values of multi-value attributes. Used by query, add, and modify actions, and by cfldap to output multi-value attributes.

For example, if $ (dollar sign), the attributes attribute could be "objectclass = top$person", where the first value of objectclass is top, and the second value is person. This avoids confusion if values include commas.

delimiter

Optional

; [semicolon]

Separator between attribute name-value pairs. Use this attribute if either of these situations exist:

  • the attributes attribute specifies more than one item
  • an attribute contains the default delimiter (semicolon). For example: mgrpmsgrejecttext;lang-en

Used by query, add, and modify actions, and by cfldap to output multivalue attributes.

For example, if $ (dollar sign), you could specify
"cn = Double Tree Inn$street = 1111 Elm; Suite 100, where the semicolon is part of the street value.

Usage

If you use the query action, cfldap creates a query object, allowing access to information in the query variables, as follows:

Variable name Description

queryname.recordCount

Number of records returned by query

queryname.currentRow

Current row of query that cfoutput is processing

queryname.columnList

Column names in query

If you use the security="CFSSL_BASIC" option, ColdFusion determines whether to trust the server by comparing the server's certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion MX. The ColdFusion MX default cacerts file contains information about many certificate granting authorities. If you must update the file with additional information, you can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For example, enter the following: 

keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq

Then restart ColdFusion MX. The keytool utility initial keypass password is "change it". For more information on using the keytool utility, see the Sun JDK documentation.

Characters that are illegal in ColdFusion can be used in LDAP attribute names. As a result, the cfldap tag could create columns in the query result set whose names contain illegal characters and are, therefore, inaccessible in CFML. In ColdFusion, illegal characters are automatically mapped to the underscore character; therefore, column names in the query result set might not exactly match the names of the LDAP attributes.

For usage examples, see ColdFusion MX Developer's Guide.

Example

<h3>cfldap Example</h3>
<p>Provides an interface to LDAP directory servers. The example uses the 
University of Connecticut public LDAP server. For more public LDAP servers,
see <a href="http://www.emailman.com">http://www.emailman.com</a>.</p>
<p>Enter a name and search the public LDAP resource. 
An asterisk before or after the name acts as a wildcard.</p>
<!--- If form.name exists, the form was submitted; run the query. --->
<cfif IsDefined("form.name")>
   <!--- Check to see that there is a name listed. --->
   <cfif form.name is not "">
      <!--- Make the LDAP query. --->
      <cfldap 
          server = "ldap.uconn.edu"
          action = "query"
          name = "results"
          start = "dc=uconn,dc=edu"
          filter = "cn=#name#"
          attributes = "cn,o,title,mail,telephonenumber"
          sort = "cn ASC">
      <!--- Display results. --->
      <center>
      <table border = 0 cellspacing = 2 cellpadding = 2>
         <tr>
            <th colspan = 5>
               <cfoutput>#results.recordCount# matches found
               </cfoutput></TH>
         </tr>
         <tr>
            <th><font size = "-2">Name</font></TH>
            <th><font size = "-2">Organization</font></TH>
            <th><font size = "-2">Title</font></TH>
            <th><font size = "-2">E-Mail</font></TH>
            <th><font size = "-2">Phone</font></TH>
         </tr>
         <cfoutput query = "results">
            <tr>
               <td><font size = "-2">#cn#</font></td>
               <td><font size = "-2">#o#</font></td>
               <td><font size = "-2">#title#</font></td>
               <td><font size = "-2">
                  <A href = "mailto:#mail#">#mail#</A></font></td>
               <td><font size = "-2">#telephonenumber#</font></td>
            </tr>
         </cfoutput>
         </table>
         </center>
      </cfif>
</cfif>

<form action="#cgi.script_name#" method="POST">
<p>Enter a name to search in the database.
<p>
<input type="Text" name="name">
<input type="Submit" value="Search" name="">
</form>

ColdFusion MX 7 | ColdFusion MX 6.1 | ColdFusion MX | Forums | Developer Center | KnowledgeBase | Bug Reporting

Version 7

Comments


eblackey101 said on Apr 12, 2005 at 3:07 PM :
You still need to update the docs to state that the timeout is in milliseconds instead of seconds. This has caused me lots of problems. Please update the docs so no one else runs into the same thing.
jrunrandy said on Apr 19, 2005 at 11:09 AM :
Good catch. I have added bug 60090 to help us track this bug.
Michael said on Jul 24, 2006 at 7:24 AM :
The documentation for CFLDAP incorrectly states the delimiter for RETURNASBINARY as a comma. The correct delimiter should be a space. This was confirmed by Chandan Kumar.

Syntax: RETURNASBINARY="objectGUID objectSID"
ksmith said on Jan 11, 2007 at 7:08 AM :
SSL v3 is not supported by CFLDAP.
postwick said on May 16, 2007 at 5:46 PM :
This tag does not support full and proper multi-clause filters. The following is a perfectly valid LDAP query filter, and it does not work in CFLDAP:

(&(objectClass=person)(!samAccountName=*$)(!samAccountName=Srvc_*)(!samAccountName=Kher*)(!samAccountName=C2K*)(!samAccountName=Khec*)(!samAccountName=Test_*)(!samAccountName=Svc-*)(!samAccountName=SVC*)(!samAccountName=_*))

In fact, simply putting in:

(!samAccountName=*$)

or:

!samAccountName=*$

...neither work, even though this is valid LDAP syntax.
Hoska said on Sep 7, 2007 at 8:56 AM :
Documentation for the scope attribute states that the default is 'onelevel' while it appears to actually be 'subtree'.
halL said on Sep 21, 2007 at 1:50 PM :
Hoska is correct, the default scope attribute is subtree.
rvoosten said on Feb 12, 2008 at 5:55 AM :
Omitting the "action" argument will thow a "java.lang.NullPointerException", whereas when omitting another argument such as "attributes" will thow a nicer human-readable error:

"When the value of the ACTION attribute is "QUERY", the tag requires the attribute(s): ATTRIBUTES."

For a minute I thought MX7 had the same CFLDAP bug as MX6 with the newer java runtime, until I realised I simply forgot the action.

 

RSS feed | Send me an e-mail when comments are added to this page | Comment Report

Current page: http://livedocs.adobe.com/coldfusion/7/htmldocs/00000283.htm