LDAP services
The policy decision point (PDP) can make LDAP queries to retrieve information.
You can make requests dynamic by interpolating attribute values into different parameters. See Attribute interpolation.
Configuration
Specify the following settings to configure an LDAP service. A publicly available LDAP service is used as an example.
Host and Port
The host name and port number of the LDAP server. For example:
Host: ldap.forumsys.com Port: 389
Username / Bind DN and Password
The user or bind credentials for the LDAP server. For example:
Bind DN: cn=read-only-admin,dc=example,dc=com Password: password
Use SSL
If the LDAP server is secured using SSL, enable this setting.
Enabling this setting populates the Certificate Validation section, which is useful when configuring TLS and M-TLS certificates. For more information, see Certificate validation.
Search Base DN / LDAP filter
These settings define the LDAP query. For example:
Search Base DN: dc=example,dc=com LDAP Filter: ou=mathematicians
Results
Because the server converts the result of an LDAP query to an XML document, you must set the service value type to XML
. The previous example query results in the following document.
<searchResponse> <searchResultEntry dn="OU=MATHEMATICIANS,DC=EXAMPLE,DC=COM"> <attr name="ou">mathematicians</attr> <attr name="objectClass">groupOfUniqueNames</attr> <attr name="objectClass">top</attr> <attr name="uniqueMember">uid=euclid,dc=example,dc=com</attr> <attr name="uniqueMember">uid=riemann,dc=example,dc=com</attr> <attr name="uniqueMember">uid=euler,dc=example,dc=com</attr> <attr name="uniqueMember">uid=gauss,dc=example,dc=com</attr> <attr name="uniqueMember">uid=test,dc=example,dc=com</attr> <attr name="cn">Mathematicians</attr> </searchResultEntry> </searchResponse>
You can extract Individual parts or collections of the data from the resulting XML document by using XPath processors. For example, the following XPath processor extracts the set of unique members:
//searchResponse/searchResultEntry/attr[@name='uniqueMember']/text()
Applying this processor to the above XML document produces the following result:
uid=euclid,dc=example,dc=com uid=riemann,dc=example,dc=com uid=euler,dc=example,dc=com uid=gauss,dc=example,dc=com uid=test,dc=example,dc=com