Correlating user and consent data
An organization that has been granted consent by a group of users can perform an LDAP search so that they can use the consent data in the aggregate.
About this task
For this task, consider the example scenario where a marketing group has collected consent to send a newsletter by email. To find all the users that have granted consent to receive emails, the marketing group performs a search that lists all of the consent records where the consent definition is email
and the status is accepted
. Then, the marketing group must correlate these consent records to user entries and retrieve each user’s email address.
Every consent record contains a subject
field, the user whose data is collected and stored. You can configure the Consent Service so that it stores the subject’s distinguished name (DN) in the subjectDN
field.
Steps
-
Perform a search using the
ldapsearch
command.Example:
The example includes the following modifications in the
ldapsearch
command:-
To correlate the consent record entries to user entries and retrieve each user entry’s
mail
attribute value,ping-consent-subject-dn
is used. -
To find all of the relevant consent record entries, the LDAP search specifies values where
ping-consent-definition.id
isemail
and theping-consent-status
isaccepted
.
$ bin/ldapsearch \ --baseDN "ou=consents,dc=example,dc=com" \ --searchScope sub \ --joinRule "dn:ping-consent-subject-dn" \ --joinBaseDN "ou=people,dc=example,dc=com" \ --joinScope sub \ --joinRequestedAttribute mail '&(ping-consent-definition:jsonObjectFilterExtensibleMatch:={ "filterType" : "equals", "field" : "id", "value" : "email" })(ping-consent-state=accepted)' \ 1.1
-
A consent record’s
subjectDN
field is theping-consent-subject-dn
attribute. -
A consent record’s status is in the
ping-consent-state
JSON attribute field. -
A consent record’s definition ID is in the
ping-consent-definition.id
JSON attribute field. -
A user entry’s email address is in the
mail
attribute.
Result:
The example LDAP search returns the following results.
# Join Result Control: # OID: 1.3.6.1.4.1.30221.2.5.9 # Join Result Code: 0 (success) # Joined With Entry: # dn: uid=user.0,ou=People,dc=example,dc=com # mail: user.0@example.com dn: entryUUID=9e481010-8330-425a-bbf1-6637de053d48,ou=Consents,dc=example,dc=com # Result Code: 0 (success) # Number of Entries Returned: 1
The
Join Result Control:
output specifies themail
value. -