In some cases, the organization that has been granted consent by a group of users may need to perform an LDAP search so that they can act upon consent data in the aggregate. For example, a marketing group has collected consent to send a newsletter by email. A search must be performed that will list all of the consent records where the consent definition is email and the status is accepted. Those records must be correlated to user entries, and each user's email address must be retrieved.

This task is performed with an LDAP search on the PingDirectory Server. Every consent record has a subject, the user whose data is collected and stored. The Consent Service can be configured so that it stores the subject's DN in the subjectDN field.

In the LDAP schema:

  • A consent record's subjectDN field is the ping-consent-subject-dn attribute.
  • A consent record's status is the ping-consent-state attribute.
  • A consent record's definition ID is in the JSON attribute field.
  • And a user entry's email address is in the mail attribute.

The search will need to find all of the consent record entries where is email and the ping-consent-status is accepted. It then needs to correlate those consent record entries to user entries using ping-consent-subject-dn, and retrieve each user entry's mail attribute value. For example:

$ bin/ldapsearch \
   --baseDN "ou=consents,dc=example,dc=com" \
   --searchScope sub \
   --joinRule "dn:ping-consent-subject-dn" \
   --joinBaseDN "ou=people,dc=example,dc=com" \
   --joinScope sub \
   --joinRequestedAttribute mail 
   '&(ping-consent-definition:jsonObjectFilterExtensibleMatch:={ "filterType" : "equals", "field" : "id", "value" : "email" })(ping-consent-state=accepted)' \
   # Join Result Control:
   #      OID:
   #      Join Result Code:  0 (success)
   #      Joined With Entry:
   #           dn: uid=user.0,ou=People,dc=example,dc=com
   #           mail:
   dn: entryUUID=9e481010-8330-425a-bbf1-6637de053d48,ou=Consents,dc=example,dc=com
   # Result Code:  0 (success)
   # Number of Entries Returned:  1

The output listed under "Join Result Control" specifies the mail value.