In my last article on LDAP, I discussed briefly what LDAP means and how it can be used in ColdFusion using CFLDAP tag along with an example of querying a database.

As pointed out in my previous article, using the CFLDAP tag provided in ColdFusion we can add, modify, and delete entries as well as attributes in a LDAP directory.

Adding an Entry

To add an entry to the LDAP directory, we need to specify the entry's distinguished name. We also need to specify the entry's object class along with all the required attributes and can also specify the optional attributes.

Suppose that we have a form with inputs for providing the entry's details that need to be added to the LDAP directory. When the form is submitted, we can retrieve the form data and set the attributes list variable for the entry from the form data as shown below.

Listing 1

<cfset attributelist="objectclass=the object class of the entry; ou=organizational 
unit; uid=the id of the entry; cn=the full name for the entry; sn=the surname of 
the entry; mail=entry’s email id;">
<cfldap action="add" 
attributes="#attributeList#" 
dn="the distinguished name for the entry" 
server=LDAP sever name
username=username to access the server 
password=password to access the server>

Updating an Entry

Using the CFLDAP tag, we can modify the values of the attributes of an entry. For doing this, we need to specify the DN of the entry in the DN attribute, list the attributes whose values we want to change along with the new values of the attributes.

Suppose we want to modify the commonname, surname and email of an entry. So we set the attributes list as below.

Listing 2

<cfset attributelist="cn=the full name for the entry; sn=the surname of the entry; 
mail=entry’s email id;">
<cfldap action="modify" 
modifytype="replace"
attributes="#attributeList#" 
dn="the distinguished name for the entry" 
server=LDAP sever name
username=username to access the server 
password=password to access the server>

Deleting an Entry

For deleting an entry in a CFLDAP directory, we need to specify only the DN of the entry.

Listing 3

<cfldap action="delete" 
dn="the distinguished name for the entry" 
server=LDAP sever name
username=username to access the server
password=password to access the server>

Adding attributes to an Entry

Using CFLDAP tag we can add multiple attributes in just one statement by providing the attributes separated by semicolons in the attribute string. The syntax for specifying that is:

Listing 4

Attributes="attribute name1=attribute value1;attribute name2=attribute value2"

It is also possible to modify the character used to separate values of multivalued attributes in an attribute string and also the character used to separate attributes when a string contains multiple attributes.  Here the modify type needs to be specified as "add."

Listing 5

<cfldap action="modify" 
modifytype="add"
attributes="attributes list to modify" 
dn="the distinguished name for the entry" 
server=LDAP sever name
username=username to access the server 
password=password to access the server>

Deleting attributes to an Entry

The same rule applies to deleting and for adding. The syntax for providing multiple attributes are:

Listing 6

Attributes="attribute name1;attribute name2"

But it should be kept in mind that an attribute of an entry can only be deleted if the attributes are specified as the optional attributes for the entry's object class in the directory schema.

Listing 7

<cfldap action="modify" 
modifytype="delete"
attributes="attributes list to modify" 
dn="the distinguished name for the entry" 
server=LDAP sever name
username=username to access the server 
password=password to access the server>

Changing a directory entry's DN

For changing the DN of an entry, the syntax is:

Listing 8

<cfldap action="modifyDN" 
modifytype="add"
attributes="dn=the new distinguished name for the entry" 
dn="the original distinguished name for the entry" 
server=LDAP sever name
username=username to access the server 
password=password to access the server>

The new DN and the entry attributes must conform to the directory schema, so it is not possible to move the entries arbitrarily in a directory tree. Only a leaf can be modified.

Specifying an attribute containing commas or semicolons

It is possible for LDAP attributes to contain comma or a semicolon. Usually comma is used to separate values of an attribute in a value list and semicolon is used to separate attributes in an attribute list. For overriding the default delimiter or separator characters, the "delimiter" and "separator" attributes of CFLDAP can be used.

For adding an attribute as specified below:

Listing 9

cn=NamePart1, NamePart2, and NamePart3
description=DescPart1; DescPart2

Use the CFLDAP tag in the following way:

Listing 10

<cfldap action="modify" 
modifytype="add" 
attributes="cn=NamePart1, NamePart2, and NamePart3: description=DescPart1; DescPart2" 
dn="the distinguished name for the entry"
separator="&"  
delimiter=":"
server=LDAP sever name
username=username to access the server 
password=password to access the server>

Using the result of CFLDAP

It is possible to build a searchable Verity collection from LDAP data. Also we can generate queries from other queries when cfldap queries return complex data.

In LDAP v3, there is a special entry in the root DN that contains the information about the directory schema. The directory root subschemaSubentry attribute can be used to access this information.

One important feature about an LDAP database is that it can be distributed over multiple servers. If we are querying the LDAP database for some information which could not be found in the current server, the LDAP v3 standards provide the mechanism for the server which makes it possible for the server to return a referral to the client containing the information about an alternate server. The advantage of this mechanism can be taken very well in ColdFusion as it handles referrals automatically. If the referral attribute of CFLDAP tag has a non-zero value, then the request is automatically sent by the ColdFusion to the specified server in the referral. The value of this attribute depends on various factors like the importance of response speed, the topology of the distributed LDAP directory and the importance of the completeness of the response. This attribute’s value decides the number of referrals allowed for a request. For example, if the value is 1, and server A sends a referral to server B, which then sends a referral to server C, ColdFusion returns an error. If the attribute’s value is 2, the same scenario does not give an error, and returns the required response data if found in server C. The rebind attribute of CFLDAP tag plays its role in this perspective. It specifies the whether to use CFLDAP tag login information in the request to the new server.

The LDAP security consists of server security and application security.

Server Security

The CFLDAP tag supports secure socket layer (SSL) v2 security which provides certificate-based validation of the LDAP server. It also encrypts data transferred between the ColdFusion server and the LDAP server, ensuring the integrity of data passed between the servers.

The client side of the SSL communication is provided by ColdFusion MX using Java Native Directory Interface (JNDI), the LDAP provider, an SSL package, and the server side is provided by the LDAP server. The LDAP server tried to connect using the CFLDAP tag holds an SSL server certificate which is securely "signed" by a trusted authority. This authenticates the sender. During the initial stage of SSL connection, the LDAP server presents its server certificate to the client which allows the SSL connection if it trusts the certificate and then the communication can begin. The determination of whether to trust a server or not is done by comparing server's certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion MX. The information in this file can also be updated. Once the communication is established, the login credentials need to be provided which are specified in the username and password attributes of CFLDAP tag. If the login credentials are valid, ColdFusion can access the directory.

To specify SSL v2 security, the secure attribute of CFLDAP tag should be set to "cfssl_basic."

Listing 11

<cfldap action="modify" 
modifytype="add" 
atributes="list of attributes" 
dn="distinguished name"
server=LDAP sever name
username=username to access the server 
password=password to access the server>
secure="cfssl_basic" 
port=636>

The port attribute specifies the server port used for secure LDAP communications, which has a default value of 636. If not specified, ColdFusion attempts to connect to the default, nonsecure, LDAP port 389.

Application Security

To ensure application security, outsiders must be prevented from gaining access to the passwords that one uses in CFLDAP tags. This can be done by using variables set on an encrypted application page, for the username and password attributes of CFLDAP tag.

This article basically deals with the advanced topics related to LDAP directory and how to manage the security of LDAP directories.

By Debjani Mallick

References

Using LDAP in ColdFusion