cfldap

Provides an interface to a Lightweight Directory Access Protocol
(LDAP) directory server, such as the Netscape Directory Server.

 <cfldap server="">

 cfldap(server="");

cfldap Attribute Reference

server string
Required

Host name or IP address of LDAP server.

port numeric
Default: 389

Port of the LDAP server (default 389).

username string

The User ID. Required if secure = "CFSSL_BASIC"

password string

Password that corresponds to user name.
If secure = "CFSSL_BASIC", V2 encrypts the password before
transmission.

action string
Default: query

* query: returns LDAP entry information only. Requires name,
start, and attributes attributes.
* add: adds LDAP entries to LDAP server. Requires attributes
attribute.
* modify: modifies LDAP entries, except distinguished name dn
attribute, on LDAP server. Requires dn. See modifyType attribute.
* modifyDN: modifies distinguished name attribute for LDAP
entries on LDAP server. Requires dn.
* delete: deletes LDAP entries on an LDAP server. Requires dn.
Values:
  • query
  • add
  • modify
  • modifyDN
  • delete

name string

Required if action = "Query"
Name of LDAP query. The tag validates the value.

timeout numeric
Default: 60000

Maximum length of time, in seconds, to wait for LDAP processing.
Default 60000

maxrows numeric

Maximum number of entries for LDAP queries.

start numeric

Required if action = "Query"
Distinguished name of entry to be used to start a search.

scope string
Default: onelevel

Scope of search, from entry specified in start attribute for
action = "Query".
* oneLevel: entries one level below entry.
* base: only the entry.
* subtree: entry and all levels below it.
Values:
  • onelevel
  • base
  • subtree

attributes string

Required if action = "Query", "Add", "ModifyDN", or "Modify"
For queries: comma-delimited list of attributes to return. For
queries, to get all attributes, specify "*".

If action = "add" or "modify", you can specify a list of update
columns. Separate attributes with a semicolon.

If action = "ModifyDN", CFML passes attributes to the
LDAP server without syntax checking.

returnasbinary string

CF 7+ A comma-delimited list of columns that are to
be returned as binary values.

filter string

Search criteria for action = "Query".
List attributes in the form:
"(attribute operator value)" Example: "(sn = Smith)"

sort string

Attribute(s) by which to sort query results. Use a comma
delimiter.

sortcontrol string
Default: asc

Default asc
* nocase: case-insensitive sort
* asc: ascending (a to z) case-sensitive sort
* desc: descending (z to a) case-sensitive sort

You can enter a combination of sort types; for example,
sortControl = "nocase, asc".
Values:
  • nocase
  • asc
  • desc
  • nocase, desc
  • nocase, asc

dn string

Distinguished name, for update action. Example:
"cn = Bob Jensen, o = Ace Industry, c = US"

startrow numeric

Used with action = "query". First row of LDAP query to insert
into a CFML query.

modifytype string
Default: replace

Default replace

How to process an attribute in a multi-value list.
* add: appends it to any attributes
* delete: deletes it from the set of attributes
* replace: replaces it with specified attributes

You cannot add an attribute that is already present or that is
empty.
Values:
  • add
  • delete
  • replace

rebind boolean
Default: false

* Yes: attempt to rebind referral callback and reissue query by
referred address using original credentials.
* No: referred connections are anonymous
Values:
  • true
  • false

referral numeric

Number of hops allowed in a referral. A value of 0 disables
referred addresses for LDAP; no data is returned.

secure string

Security to employ, and required information. One option:
* CFSSL_BASIC

"CFSSL_BASIC" provides V2 SSL encryption
and server authentication.
Values:
  • CFSSL_BASIC

separator string
Default: ,

Default , (a comma)
Delimiter to separate attribute values of multi-value
attributes. Used by query, add, and modify actions, and by
cfldap to output multi-value attributes.

For example, if $ (dollar sign), the attributes attribute could
be "objectclass = top$person", where the first value of
objectclass is top, and the second value is person. This avoids
confusion if values include commas.
Values:
  • ,
  • ;
  • |
  • :

delimiter string
Default: ;

Separator between attribute name-value pairs. Use this
attribute if:

* the attributes attribute specifies more than one item, or
* an attribute contains the default delimiter (semicolon). For
example: mgrpmsgrejecttext;lang-en

Used by query, add, and modify actions, and by cfldap to output
multi-value attributes.

For example, if $ (dollar sign), you could specify
"cn = Double Tree Inn$street = 1111 Elm; Suite 100 where the
semicolon is part of the street value.
Values:
  • ,
  • ;
  • |
  • :

clientcert string

CF 11+ A file path to a client certificate.

clientcertpassword string

CF 11+ The password for the client certificate file.

usetls boolean
Default: false

CF 11+ Indicates that the connection should be made using transport layer security.

Examples sample code using the cfldap tag


Lookup a User in Active Directory Example

This example gets the user's data from active directory and displays a thumbnail image stored in active directory.

<cfldap
	server="ServerName"
	port=636
	action="QUERY"
	name="qLDAP"
	secure="CFSSL_BASIC"
	username="mydomain\#ldapUsername#"
	password="#ldapPassword#"
	start="dc=MYDOMAIN,dc=MYTLD"
	attributes="cn,userPrincipalName,title,mail,thumbnailPhoto"
	filter="(sAMAccountName=#username#)"> 

<cfoutput><img src="data:image/jpeg;base64,#binaryEncode(qLDAP.thumbnailPhoto,"Base64")#" /></cfoutput>

Script Syntax to Authenticate a User via Active Directory

This is an example of using cfldap to authenticate a user against an Active Directory server. The server or domain CA certificate must be imported into the cacerts java keystore for security="CFSSL_BASIC" to work.

cfldap(
	server = "ServerName",
	port = 636,
	action = "QUERY",
	name = "qLDAPLookup",
	secure = "CFSSL_BASIC",
	username = "MYDOMAIN\#arguments.username#",
	password = arguments.password,
	start = "dc=MYDOMAIN,dc=MYTLD",
	attributes = "cn,userPrincipalName,title,mail",
	timeout = "10",
	filter = "(sAMAccountName=#arguments.username#)"
);

if (qLDAPLookup.recordCount) {
	userAuthenticated = true;
}

Fork me on GitHub