PingAuthorize

LDAP services

The policy decision point (PDP) can make LDAP queries to retrieve information.

You can make requests dynamic by interpolating attribute values into different parameters. See Attribute interpolation.

Configuration

Specify the following settings to configure an LDAP service. A publicly available LDAP service is used as an example.

Host and Port

The host name and port number of the LDAP server. For example:

Host: ldap.forumsys.com
Port: 389

Username / Bind DN and Password

The user or bind credentials for the LDAP server. For example:

Bind DN: cn=read-only-admin,dc=example,dc=com
Password: password

Use SSL

If the LDAP server is secured using SSL, enable this setting.

Enabling this setting populates the Certificate Validation section, which is useful when configuring TLS and M-TLS certificates. For more information, see paz_http_services.adoc#section_zvj_jss_tkb.

Search Base DN / LDAP filter

These settings define the LDAP query. For example:

Search Base DN: dc=example,dc=com
LDAP Filter: ou=mathematicians

Results

Because the server converts the result of an LDAP query to an XML document, you must set the service value type to XML. The previous example query results in the following document.

<searchResponse>
  <searchResultEntry dn="OU=MATHEMATICIANS,DC=EXAMPLE,DC=COM">
    <attr name="ou">mathematicians</attr>
    <attr name="objectClass">groupOfUniqueNames</attr>
    <attr name="objectClass">top</attr>
    <attr name="uniqueMember">uid=euclid,dc=example,dc=com</attr>
    <attr name="uniqueMember">uid=riemann,dc=example,dc=com</attr>
    <attr name="uniqueMember">uid=euler,dc=example,dc=com</attr>
    <attr name="uniqueMember">uid=gauss,dc=example,dc=com</attr>
    <attr name="uniqueMember">uid=test,dc=example,dc=com</attr>
    <attr name="cn">Mathematicians</attr>
  </searchResultEntry>
</searchResponse>

You can extract Individual parts or collections of the data from the resulting XML document by using XPath processors. For example, the following XPath processor extracts the set of unique members:

//searchResponse/searchResultEntry/attr[@name='uniqueMember']/text()

Applying this processor to the above XML document produces the following result:

uid=euclid,dc=example,dc=com
uid=riemann,dc=example,dc=com
uid=euler,dc=example,dc=com
uid=gauss,dc=example,dc=com
uid=test,dc=example,dc=com