PingDirectory

Correlating user and consent data

An organization that has been granted consent by a group of users can perform an LDAP search so that they can use the consent data in the aggregate.

About this task

For this task, consider the example scenario where a marketing group has collected consent to send a newsletter by email. To find all the users that have granted consent to receive emails, the marketing group performs a search that lists all of the consent records where the consent definition is email and the status is accepted. Then, the marketing group must correlate these consent records to user entries and retrieve each user’s email address.

Every consent record contains a subject field, the user whose data is collected and stored. You can configure the Consent Service so that it stores the subject’s distinguished name (DN) in the subjectDN field.

Steps

  • Perform a search using the ldapsearch command.

    Example:

    The example includes the following modifications in the ldapsearch command:

    • To correlate the consent record entries to user entries and retrieve each user entry’s mail attribute value, ping-consent-subject-dn is used.

    • To find all of the relevant consent record entries, the LDAP search specifies values where ping-consent-definition.id is email and the ping-consent-status is accepted.

    $ bin/ldapsearch \
       --baseDN "ou=consents,dc=example,dc=com" \
       --searchScope sub \
       --joinRule "dn:ping-consent-subject-dn" \
       --joinBaseDN "ou=people,dc=example,dc=com" \
       --joinScope sub \
       --joinRequestedAttribute mail
       '&(ping-consent-definition:jsonObjectFilterExtensibleMatch:={ "filterType" : "equals", "field" : "id", "value" : "email" })(ping-consent-state=accepted)' \
       1.1
    • A consent record’s subjectDN field is the ping-consent-subject-dn attribute.

    • A consent record’s status is in the ping-consent-state JSON attribute field.

    • A consent record’s definition ID is in the ping-consent-definition.id JSON attribute field.

    • A user entry’s email address is in the mail attribute.

    Result:

    The example LDAP search returns the following results.

    # Join Result Control:
       #      OID:  1.3.6.1.4.1.30221.2.5.9
       #      Join Result Code:  0 (success)
       #      Joined With Entry:
       #           dn: uid=user.0,ou=People,dc=example,dc=com
       #           mail: user.0@example.com
       dn: entryUUID=9e481010-8330-425a-bbf1-6637de053d48,ou=Consents,dc=example,dc=com
    
       # Result Code:  0 (success)
       # Number of Entries Returned:  1

    The Join Result Control: output specifies the mail value.