×

Please give details of the problem

Docs

Find

SEC-LDAP Adapter

LDAP (Lightweight Directory Access Protocol) is a protocol used over TCP/IP for accessing directory services. You can learn more about LDAP at ldap.com.

The LDAP Adapter allows you to add, modify, delete, and search for entries in local LDAP directories from RunMyProcess. It requires the Connector Agent and the Protocol Manager to be installed and running. Please follow the SEC - Installation Guide.

Table of Contents

1 Prerequisites

The following is assumed :

  • The SEC manager is running on the server and a tunnel is open and configured. You can find instructions on how to install and configure the SEC here.
  • The server has Java installed.
  • The ping port on the manager is 4444 (this can be configured in the adapter and the manager).
  • The manager is running on the same server as the adapter (127.0.0.1).
  • The Unified Adapters zip file has been extracted to your local server as described here.

2 Configure the Adapter

The Adapter is configured by modifying the handler.config and by creating a LDAP.config file in the [SEC-PATH]\configFiles folder. A reference configuration file can be found in the \configFiles\ldap.reference folder.

NB: It is recommended that the Adapter be installed in a Adapters folder inside the SEC installation path.

The handler.config file should look like this :

1
2
3
4
5
6
7
8
#Generic Protocol Configuration
protocol = LDAP
protocolClass = com.runmyprocess.sec.LDAP
handlerHost = 127.0.0.1
connectionPort = 5832
managerHost = 127.0.0.1
managerPort = 4444
pingFrequency = 300

Where :

  • protocol is the name to identify our Adapter.
  • protocolClass is the class of the Adapter.
  • handlerHost is where the Adapter is running.
  • connectionPort is the port of the Adapter where data will be received and returned.
  • managerHost is where the SEC is running.
  • managerPort is the port where the SEC is listening for ping registrations.
  • pingFrequency is the frequency in which the manager will be pinged (at least three times shorter than what's configured in the manager).

The LDAP.config file should look like this :

1
2
3
#LDAP Configuration
host=127.0.0.1
port=389

Where :

  • host is the IP address of where the LDAP server is hosted
  • postis the port on were the LDAP is running

3 Running the Adapter

You can now run the Adapter as follows:

On Windows: 

1
runAdapter.bat

On Unix: 

1
java -jar unified-adapter_${version}.jar

or (recommended):

1
java -server -Xmx512m -Xss256m -Djava.util.logging.config.file=./log.properties -jar unified-adapter_${version}.jar

Note: Make sure that you have launched the Protocol Manager and it is running on port 8080.

If everything is configured correctly, you can now place a request from RunMyProcess to search, add, modify or delete LDAP directory entries.

4 Testing the Adapter with a Local Directory

You can test the LDAP Adapter by submitting a POST request to http://127.0.0.1:8080/ with the following header fields:

Content-Type: **application/json**

Accept: **application/json**

and setting the content to be one of the example JSONObjects given in section 5.

5 Using the Adapter

To use the LDAP Adapter, submit a POST request to the IP address of the LDAP server with the following header fields:

Content-Type: **application/json**

Accept: **application/json**

The message body will be a JSONObject whose structure depends on the operation you are trying to execute. JSON (JavaScript Object Notation) objects are declared within curly braces with object properties declared as "name":"value" pairs, separated by commas.

Each operation requires a nested JSONObject with the outer object specifying the protocol (LDAP) and the inner object specifying the operation-specific parameters.

Each operation is considered below.

5.1 Searching a directory

The following properties can be set for this operation:

Property Name Description
operation "SEARCH"
baseDN This is used to specify the Distinguished Name to be used as the search base.
filter This is the search criteria. If more than one criterion is required, the logical operators AND and OR can be used.
scope This specifies the search scope and can be "BASE" (search only the base entry), "ONE" (search entries in the level below the baseDN) or "SUB" (search the subtree underneath the baseDN).
attributes This specifies which attributes of the matching entries to return.

Examples 

1
2
3
4
5
6
7
8
9
##SEARCH
{
"protocol":"LDAP",
"data":{
    "operation":"SEARCH",
    "baseDN":"DC=example,DC=com",
    "filter": "(&(|(objectClass=organizationalUnit)(objectClass=container)))"
    } 
}

This example will search the directory at example.com for objects that belong to the object class organizationalUnit or container.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
 :::JSONRMP
##SEARCH
{
"protocol":"LDAP",
"data":{
    "operation":"SEARCH",
    "baseDN":"dc=example,dc=com",
    "filter": "(&(gn=J*))",
    "scope":"SUB",
    "attributes":["att1","att2"]
    }
}

This example will search the directory at example.com for entries where the given name begins with a J. It will search the entire subtree and return two attributes (att1 and att2) for each matching entry.

5.2 Adding an entry to a directory

The following properties can be set for this operation:

Property Name Description
operation "ADD"
userDN This is used to specify the Distinguished Name of the user that will authenticate to the directory.
password This is used to specify the password of the user that will authenticate to the directory.
ldif An LDIF record containing the data for the new entry.

Example 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
##ADD
{
"protocol":"LDAP",
"data":{
    "operation":"ADD",
    "userDN":"cn=admin,dc=example,dc=com",
    "password":"password",
    "ldif": [
                            "dn: cn=John Smith,ou=People,dc=example,dc=com",
                            "cn: John Smith",
                            "gidnumber: 503",
                            "givenname: John",
                            "homedirectory: /home/users/smith",
                            "objectclass: inetOrgPerson",
                            "objectclass: posixAccount",
                            "objectclass: top",
                            "sn: Smith",
                            "uid: jsmith",
                            "uidnumber: 1013",
                            "userpassword: {MD5}jVneVUVGdJTyI25JIfooag=="       
                      ]
    } 
}

This example will authenticate as an admin user on the directory at example.com and add a new entry (a new user account).

5.3 Changing an entry in a directory

The following properties can be set for this operation:

Property Name Description
operation "MODIFY"
userDN This is used to specify the Distinguished Name of the user that will authenticate to the directory.
password This is used to specify the password of the user that will authenticate to the directory.
ldif An LDIF record specifying which attributes to change and their new values.

Example 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
##MODIFY
{
"protocol":"LDAP",
"data":{
    "operation":"MODIFY",
    "userDN":"cn=admin,dc=example,dc=com",
    "password":"password",
    "ldif": [
             "dn: dc=example,dc=com",
             "changetype: modify",
             "replace: description",
             "description: MODIFY Example"     
                      ]
    } 
}

This example will authenticate as an admin user and modify the description attribute with the new value MODIFY Example.

5.4 Deleting an entry from a directory

The following properties can be set for this operation:

Property Name Description
operation "DELETE"
userDN This is used to specify the Distinguished Name of the user that will authenticate to the directory.
password This is used to specify the password of the user that will authenticate to the directory.
deleteDN This is used to specify the Distinguished Name of the entry to be deleted.

Example 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
##DELETE
{
"protocol":"LDAP",
"data":{
    "operation":"DELETE",
    "userDN":"cn=admin,dc=example,dc=com",
    "password":"password",
    "deleteDN": "cn=John Smith,ou=People,dc=example,dc=com"
    } 
}

This example will authenticate as an admin user on the directory at example.com and will delete the entry that has the Common Name John Smith in the organizational unit People.

5.5 Response

The expected return value is a JSON object that should look like this:

1
2
3
4
{
"SECStatus":200,
"Result":"YOUR LDAP RESULT INFORMATION"
}

6 Troubleshooting

If you are having problems, make sure that:

  • the Protocol Manager and the LDAP Adapter have the same ping port configuration (4444 by default).
  • the Protocol Manager is running on the port you are posting to (8080 by default) with no errors on the console.
  • navigating to http://127.0.0.1:8080/ on your browser returns a success message and the LDAP adapter.

7 Automatic Launching

In order to access Adapter resources from RunMyProcess, the Connector Agent, Protocol Manager and the required adapters must be running. You can create a script (shell script or bat file) to launch all resources. For example, in Windows, you can create a bat file that looks like this:

1
2
3
4
5
6
7
@echo off
cd %SECPATH%\sec-agent-manzanillo\bin
call start "Tunnel" runagent.bat
cd %SECPATH%\jetty7.6.11
start "Manager" java -jar start.jar
cd %SECPATH%\Adapters\LDAP
start "LDAPAdapter" java -jar unified-adapter_${version}.jar

Where version is the current unified adapter version installed on your server.

Note: For the above example, note that the %SECPATH% environment variable points to the installation path of the SEC. Also note that the Adapter is inside an Adapters folder in the SEC installation folder. We recommend you follow this best practice.