Skip to main content

DataLayer.LDAP

  • Updated

DataLayer.LDAP

The Lightweight Directory Access Protocol (LDAP) is an application protocol for reading and editing hierarchical sets of records over a network. Common implementations include user information and directory services. This topic introduces the developer to the DataLayer.LDAP element, which allows Logi applications to retrieve data from LDAP servers.

This element is not available in Logi Report.

Attributes

The DataLayer.LDAP element has the following attributes:

AttributeDescription

ID

(Required through v10.1.46) The unique element ID.

Source

(Required) Specifies a query statement using a SQL-like syntax that returns a rowset of LDAP records, such as users, rights, groups, devices and other collections available from the LDAP server. See the LDAP Query Syntax sections below for more information.

Connection ID

The ID of a Connection.LDAP element defined in the _Settings definition. If this value is left blank, the datalayer will try to use the first connection element in the _Settings definition. For clarity, developers are advised to enter an ID here in all cases.

Working with DataLayer.LDAP

The datalayer receives and caches the results returned by the LDAP query statement. You can add child elements beneath the datalayer to affect the results, including:

  • Filtering: Sort, group, or restrict the result data
  • Joining: Apply SQL-like JOINs to the data in the datalayer
  • Extending: Add virtual columns to the datalayer that contain aggregated, calculated, or totaled result values
  • Securing: Limit access to the data using Logi security
  • Linking: Make the results reusable elsewhere in your report definitions

The use of many of these elements is described in separate DevNet documents.

Data retrieved into the datalayer is cached in XML format, in memory and/or on the web server's file system. This process is discussed in The Logi Server Engine and may be of interest to developers working with extremely large datasets or large numbers of concurrent users.

The data retrieved with a datalayer is available using @Data tokens, in the format @Data.ColumnName~. The spelling of the column name is case-sensitive. The data is only available within the scope of the parent element of the datalayer, not throughout the entire report definition. The DataLayer.Linked element can be used to make the data reusable in another datalayer outside this scope.

In Logi Info, the Auto Columns element can be used to quickly display in your report all the data in a datalayer.

Use with Logi Security

In order to authenticate users against an LDAP server, use the DataLayer.LDAP-Auth element.

When Logi Security is being used, DataLayer.LDAP can be used retrieve user rights from an LDAP server:
 


     

As shown above, DataLayer.LDAP is added as a child of the Rights From DataLayer element, and its attributes configured as shown. The syntax for the Source attribute value follows the rules described in the next sections, and includes the token containing the identifying value for the current user, for example:

SELECT cn FROM 'dc=example,dc=com' WHERE objectClass ='group'
AND member = '@Function.UserName~'

LDAP Query Syntax for .NET

The LDAP syntax supported in Logi products for .NET applications is similar to that of SQL. The basic keywords are:

KeywordDescription

SELECT

Specifies a comma-separated list of attributes to be retrieved for each object. If you specify *, the query retrieves only the Distinguished Name (DN) of each object, not all of its attributes. All other "column" operations of the type found in SQL queries (functions, AS, expressions, etc.) are not available.

FROM

Specifies the DN of the object of the search. For example, the DN of the "Users" container in an Active Directory domain might be 'cn=Users,dc=MassiveDynamic,dc=com'. Note that the DN of the object of the search is enclosed in a pair of single quotation marks (').

WHERE

Specifies search filter expressions and multiple expressions may be strung together using AND and OR. Expressions only support these basic operators:

    =    Equal to
    ~=   Approximately equal to
    <=   Lexicographically less than or equal to
    >=   Lexicographically greater than or equal to
    &    AND
    |    OR
    !    NOT
     

The SQL "LIKE" operator is not supported. The alternative is: [column] = '*SomeText*'.
Expression comparison values are enclosed within a pair of single quotation marks (').

Query examples:

List all users:
SELECT uid,postalAddress,mobile,mail,givenName,sn,cn FROM 'dc=example,dc=com' WHERE objectClass='Person'

List all groups:
SELECT description, cn FROM 'dc=example,dc=com' WHERE objectClass = 'groupOfUniqueNames'

List all groups with users:
SELECT uniqueMember, cn FROM 'dc=example,dc=com' WHERE objectClass = 'groupOfUniqueNames'

List all users for group "Developers":
SELECT uniqueMember FROM 'dc=example,dc=com' WHERE objectClass = 'groupOfUniqueNames' AND cn = 'Developers'

List all groups with user "user.0":
SELECT cn FROM 'dc=example,dc=com' WHERE objectClass ='groupOfUniqueNames' AND uniqueMember = '*uid=user.0*'

List all users in "Technical Group" Organizational Unit in Active Directory:
SELECT ADsPath,o,ou,objectclass,mail,name FROM 'ou=Technical Group,ou=Staff,dc=example,dc=com'

List all groups with user matching @Request token value:
SELECT cn FROM 'dc=LogiAnalytics,dc=com' WHERE objectClass = 'groupOfUniqueNames'
AND uniqueMember ='*uid=@Request.rdUsername~*'

As shown in the last example, you may use tokens, such as @Request and @Session, inside of the LDAP query to control the result set. Attribute values are stored with case intact in LDAP structures, but searches against them are case-insensitive by default. Certain attributes (like password) may be case-sensitive when searching.

LDAP Query Syntax for Java

The LDAP syntax supported in Logi products for Java applications is similar to that of SQL. The basic keywords are:

KeywordDescription

SELECT

Specifies a comma-separated list of attributes to be retrieved for each object and can include "*" to retrieve all attributes. All other "column" operations of the type found in SQL queries (functions, AS, expressions, etc.) are not available.

FROM

Specifies the scope of the search. Values can include:

objectScope; - a search of the base object only
oneLevelScope; - a search of objects immediately subordinate to the base object, but not the base object subTreeScope; - a search of the base object and its entire subtree

Scope values must end with a semi-colon. Note that the base DN of the object of the search is configured in the Connection.LDAP element's Base DN attribute.

WHERE

Specifies search filter expressions and multiple expressions may be strung together using AND and OR. Expressions only support these basic operators:

    =    Equal to
    ~=   Approximately equal to
    <=   Lexicographically less than or equal to
    >=   Lexicographically greater than or equal to
    &    AND
    |    OR
    !    NOT
     

The SQL "LIKE" operator is also supported, e.g. [column] = LIKE '%SomeText%'.
Expression comparison values are enclosed within a pair of single quotation marks (').

Query example (also see .NET examples above, which only differ in regard to the FROM clause):

SELECT cn FROM subTreeScope; WHERE objectClass = 'groupOfUniqueNames' AND uniqueMember = '*uid=@Request.rdUsername~*'

As shown in the example, you may use tokens, such as @Request and @Session, inside of the LDAP query to control the result set. Attribute values are stored with case intact in LDAP structures, but searches against them are case-insensitive by default. Certain attributes (like password) may be case-sensitive when searching