For making use of LDAP, we need to use cfldap tag. This tag
allows performing various operations on LDAP directories (using the action
attribute of cfldap tag).
Retrieve attribute values from a directory – action =
"query"
Add an entry to a directory – action = "add"
Delete an entry to a directory – action = "delete"
Modify i.e. add, change or delete the value of an attribute
– action = "modify"
Rename a directory entry – action = "modifyDN"
Querying an LDAP Directory using <cfldap> tag
The cfldap tag allows searching of an LDAP directory and the
result returned can be treated as a query object. While querying an LDAP
directory, we can specify “from where to start the search” using the start
attribute and “search criteria” using the filter attribute. The scope attribute
is used to limit the search scope. Default scope is one level below the DN
specified in the start attribute and it does not include the entry identified
by the start attribute. It is possible to restrict the query to the level of
start entry or extend it below the start entry to the entire subtree. The
search filter value has the form of attribute operator. By default, it uses
objectclass=* which returns all the entries in the scope. Various different
filter criteria or patterns can be provided. It also supports Boolean operators
for specifying more than one value. If the pattern provided contains a
parenthesis, backslash, asterisk or null character, we need to specify the
escape sequences for those.
Examples:
filter = "o=*go*" – Organization names containing and
including the exact string "go"
filter = "& (&(o=google) (co=usa))" – Organization name is "google" and country is "usa"
The sort attribute allows us to sort the return query
object. By default, Coldfusion returns the result in case-sensitive ascending
order. The sortControl attribute can be used for sorting in descending order or
case-insensitive order. The timeout and maxRows attributes can be used to
control the performance by specifying the maximum number of entries and exiting
after a certain time limit if the server does not respond. If we specify the
attributes parameter as "attributes=’*”," we get back all the
attributes, but we can limit the attributes being returned by the query by
specifying the names of the attributes like sn, cn, etc.
Example of using LDAP in ColdFusion
Listing 1
<html>
<head>
<title>Login Demo</title>
</head>
<body>
<cfform name="demo" action="login.cfm" method="post">
<table>
<tr>
<td>User Name</td>
<td>
<cfinput type="text" name="userName"
id="userName">
</td>
</tr>
<tr>
<td>Password</td>
<td>
<cfinput type="password" name="password"
id="password"/>
</td>
</tr>
<tr>
<td colspan="2">
<cfinput type="submit" id="login" name="login"
value="Login" />
</td>
</tr>
</table>
</cfform>
</body>
</html>
<cfif IsDefined('form.login')>
<cfif IsDefined('form.userName')>
<cfif IsDefined('form.password')>
<cftry>
<cfldap
server="hostname or IP address of the LDAP server"
action="query"
name="userAuthentication"
scope="subtree"
port="port number"
attributes="uid,userPassword"
returnAsBinary="userPassword"
filter="(&(uid=#form.userName#))"
start="dc=curaspan,dc=local"/>
<cfcatch type="any">
<cfoutput>Error: #cfcatch.detail# #cfcatch.message#</cfoutput>
<cfabort>
</cfcatch>
</cftry>
<cfif userAuthentication.recordcount eq 0>
<cfoutput>Sorry! Invalid User</cfoutput>
<cfelse>
<cfoutput>Login Successful</cfoutput>
</cfif>
</cfif>
</cfif>
</cfif>
In the above example, we have a form with username and
password fields. When the user enters values in those fields and clicks on the
"Submit" button, the form is submitted to the same page and the LDAP
server is queried to find a record with the credentials provided by the user. In
the server attribute of LDAP tag, we need to specify the address to the LDAP
server and in the port attribute, the port number. If a record is found, we
output a "Login Successful" message and in record count is 0, a "Sorry!
Invalid User" message is displayed.