LDAP +

This module provides powerful LDAP (Lightweight Directory Access Protocol) capabilities to the BoxLang language, making it easy to query, modify, and manage directory services with minimal code.

✨ Features

• 🔍 Query: Search LDAP directories with filters, scopes, and pagination

• ➕ Add: Create new directory entries with multi-valued attributes

• ✏️ Modify: Update existing entries (replace/add/delete attributes)

• 🗑️ Delete: Remove directory entries

• 🔄 ModifyDN: Rename entries or move within directory tree

• 🔒 Secure: SSL/TLS support with certificate validation

• 🔑 Authentication: Simple bind and anonymous access

• 🎯 Flexible Filtering: Complex LDAP filters with boolean logic

• 📄 Pagination: Handle large result sets efficiently

• 🔌 Connection Pooling: Automatic connection management

• 🏢 Enterprise Grade: Built and Supported by Ortus Solutions

📦 Installation

Requirements

• BoxLang 1.6+

• Access to an LDAP server (Active Directory, OpenLDAP, etc.)

Install via CommandBox

If you are using CommandBox for your web applications, simply run:

Install via BoxLang OS Binary

If you are using the BoxLang OS Binary, simply run:

The module will automatically register and be available as bxldap in your BoxLang applications.

🚀 Quick Start

Here's how to query an LDAP directory in just a few lines:

That's it! 🎉 You now have LDAP query results in a BoxLang Query object.

🔧 LDAP Actions

The module supports seven core operations:

🔍 Query

Search the directory with filters, scopes, and attribute selection.

• Use Case: Find users, groups, or any directory objects

• Returns: BoxLang Query object with results (contains matched LDAP entries as rows with their attributes as columns)

• Features: Filtering, sorting, pagination, scope control

• Empty Results: Returns a Query with recordCount=0 if no entries match (no exception thrown)

➕ Add

Create new entries in the directory.

• Use Case: Add new users, groups, organizational units

• Supports: Multi-valued attributes, all attribute types

• Returns: Boolean true on success

• Error Handling: Throws exception if entry already exists or DN is invalid

✏️ Modify

Update existing directory entries.

• Use Case: Update user information, group memberships

• Operations: Replace, add, or delete attributes

• Returns: Boolean true on success

• Flexibility: Modify multiple attributes in one operation

• Error Handling: Throws exception if entry does not exist or modification type is invalid

🗑️ Delete

Remove entries from the directory.

• Use Case: Delete obsolete users, groups, or objects

• Returns: Boolean true on success

• Safety: Validates entry exists before deletion (throws exception if not found)

• Note: Cannot delete entries with children (delete children first)

• Error Handling: Throws exception if entry has subordinate entries or does not exist

🔄 ModifyDN

Rename entries or move them within the directory tree.

• Use Case: Rename users, reorganize directory structure

• Returns: Boolean true on success

• Operations: Rename (change RDN) or move to different parent

• Flexibility: Supports both rename and move operations

• Error Handling: Throws exception if new DN is invalid or already exists

🔓 Open

Create and store a named connection for reuse across multiple operations.

• Use Case: Establish a connection with credentials that can be reused without repetition

• Required Attributes: connection (connection name), server, plus authentication details

• Returns: Connection object if result attribute is specified, otherwise ignored

• Benefits: Simplifies multi-operation workflows by eliminating credential repetition

• Note: Connection remains open until explicitly closed or application terminates

🔐 Close

Close and release a named connection.

• Use Case: Explicitly close a named connection to free resources

• Required Attributes: connection (connection name to close)

• Returns: Boolean true on success

• Benefits: Allows proper resource management for long-running applications

• Note: Once closed, connection can be reopened with same name if needed

📚 Component Reference

🔐 <bx:ldap> Component

The main component for all LDAP operations.

Core Attributes

Authentication Attributes

Query-Specific Attributes

Modify-Specific Attributes

Add-Specific Attributes

Delete-Specific Attributes

ModifyDN-Specific Attributes

💡 Examples

Basic Examples

🔍 Simple Query

Find all users in a directory:

💡 Use Case: Quick directory lookup to list all users.

🔎 Filtered Search

Search for a specific user:

💡 Use Case: User lookup with specific attributes for profile display.

➕ Add New User

Create a new directory entry:

💡 Use Case: User registration or bulk user import.

✏️ Modify User

Update an existing entry:

💡 Use Case: Profile updates, contact information changes.

🗑️ Delete User

Remove an entry from the directory:

💡 Use Case: Account deactivation, cleanup of obsolete entries.

🔄 Rename User

Change an entry's RDN (Relative Distinguished Name):

💡 Use Case: Username changes, standardizing naming conventions.

Connection Management Examples

🔌 Define and Reuse Named Connections

Create a named connection once and reuse it across multiple operations:

💡 Use Case: Simplifies code when performing multiple LDAP operations. Credentials are passed once, then the connection is reused by its name.

🔓 Explicitly Open a Named Connection

Establish a connection with the open action for later reuse:

💡 Use Case: Use open when you need explicit connection lifecycle management. Useful in microservices or long-running applications.

🔐 Close a Named Connection

Explicitly close a connection to free resources:

💡 Use Case: Important for resource management in applications that maintain many connections or run for extended periods.

Advanced Examples

🔍 Complex Filter Query

Use advanced LDAP filter syntax:

💡 Use Case: Department reporting, audit queries, compliance checks.

Filter Operators:

• & - AND (all conditions must match)

• | - OR (any condition matches)

• ! - NOT (negation)

• = - Equals

• >= - Greater than or equal

• <= - Less than or equal

• =* - Presence check (attribute exists)

• =value* - Starts with

• =*value - Ends with

• =*value* - Contains

📄 Paginated Query

Handle large result sets efficiently:

💡 Use Case: User management interfaces, large directory browsing.

� Query Results as Array

Return results as an array of structs instead of a Query object:

💡 Use Case: JSON API responses, data transformation, modern data handling patterns.

Supported Formats:

• "query" - Returns BoxLang Query object (default) - good for compatibility with traditional CFML patterns

• "array" - Returns Array of Structs - better for JSON APIs and modern applications

�🔒 SSL/TLS Secure Connection

Connect securely with SSL:

💡 Use Case: Production environments, sensitive data access, compliance requirements.

🔐 Mutual TLS Authentication

Use client certificates for authentication:

💡 Use Case: High-security environments, API integrations, service accounts.

➕ Add Entry with Multiple Values

Create an entry with multi-valued attributes:

💡 Use Case: Group management, access control lists, distribution lists.

✏️ Add Attribute Values

Add values to existing multi-valued attributes:

💡 Use Case: Group membership management, role assignments.

🗑️ Delete Attribute Values

Remove specific values from multi-valued attributes:

💡 Use Case: Membership revocation, access control updates.

🔄 Move Entry to Different OU

Move an entry to a different organizational unit:

💡 Use Case: Organizational restructuring, employee status changes.

⚠️ Error Handling

Understanding Empty Results

Important: LDAP queries return empty Query objects (recordCount=0) instead of throwing exceptions when:

• Entry does not exist

• Filter matches no entries

• Insufficient permissions (sometimes)

• Entry was deleted

Exception Handling

Handle connection and operation errors:

Common Error Scenarios

🎯 Best Practices

Security

• ✅ Always use SSL/TLS in production (secure="true")

• ✅ Never hardcode credentials - use environment variables or secure vaults

• ✅ Use least privilege - bind with minimum required permissions

• ✅ Validate user input - sanitize filter parameters to prevent LDAP injection

• ✅ Implement connection timeouts - prevent hanging operations

• ✅ Use service accounts - dedicated accounts for application access

• ✅ Rotate passwords regularly - follow security policies

• ✅ Log security events - audit all modify/add/delete operations

Performance

• ✅ Use specific filters - narrow searches with precise LDAP filters

• ✅ Limit attribute retrieval - only request needed attributes

• ✅ Implement pagination - use maxrows and startRow for large result sets

• ✅ Choose appropriate scope - use "base" or "onelevel" when possible

• ✅ Cache results - cache frequently accessed data

• ✅ Use indexed attributes - filter on indexed attributes for speed

• ✅ Connection pooling - automatically handled by Apache Directory API

Filter Optimization

• ✅ Put most restrictive filters first - in AND operations

• ✅ Use equality over substring - (uid=jdoe) faster than (uid=*jdoe*)

• ✅ Avoid leading wildcards - (cn=John*) faster than (cn=*John)

• ✅ Combine filters efficiently - use (&(attr1=val1)(attr2=val2)) not multiple queries

Directory Structure

• ✅ Follow DN conventions - consistent naming schemes

• ✅ Use organizational units - logical grouping (ou=users, ou=groups)

• ✅ Plan DN hierarchy - consider future growth and reorganization

• ✅ Document schema - maintain documentation of custom attributes

📢 Event Handling

The LDAP module announces events at key points in the connection lifecycle, allowing you to monitor, audit, and react to connection operations. These events are dispatched through BoxLang's interception system.

Available Events

onLDAPConnectionOpen

Announced when an LDAP connection is successfully opened (either new or from pool).

Event Payload:

Example Interceptor:

onLDAPConnectionClose

Announced when an LDAP connection is closed or removed from the pool.

Event Payload:

Example Interceptor:

Connection Monitoring Example

Create an interceptor to monitor all connection lifecycle events:

❓ Troubleshooting

Connection Issues

Problem: Cannot connect to LDAP server.

Solutions:

• ✅ Verify server hostname and port (389 standard, 636 SSL)

• ✅ Check firewall rules allow LDAP traffic

• ✅ Test connectivity with telnet ldap.example.com 389

• ✅ Verify DNS resolution of hostname

• ✅ Check LDAP server is running and accepting connections

• ✅ Review LDAP server logs for connection attempts

Authentication Failures

Problem: Invalid credentials or bind failure.

Solutions:

• ✅ Verify bind DN format: cn=admin,dc=example,dc=org

• ✅ Confirm password is correct (no extra spaces)

• ✅ Check if account is locked or disabled

• ✅ Verify user has appropriate permissions

• ✅ For Active Directory: use [email protected] or DOMAIN\user format

• ✅ Test credentials with LDAP browser tool (Apache Directory Studio)

Query Returns No Results

Problem: Query completes but returns 0 results.

Solutions:

• ✅ Verify start DN exists in directory

• ✅ Check filter syntax is correct

• ✅ Confirm scope is appropriate ("base" vs "onelevel" vs "subtree")

• ✅ Verify bind user has read permissions on entries

• ✅ Test filter with LDAP browser tool

• ✅ Check for typos in attribute names

• ✅ Confirm entries actually exist in search base

SSL/TLS Issues

Problem: SSL handshake failure or certificate errors.

Solutions:

• ✅ Verify port 636 is used for LDAPS (not 389)

• ✅ Check server certificate is valid and not expired

• ✅ Import server certificate into Java truststore

• ✅ For self-signed certs: add to trusted certificates

• ✅ Verify certificate hostname matches server hostname

• ✅ Check for certificate chain issues

Modify/Add/Delete Failures

Problem: Write operations fail or return errors.

Solutions:

• ✅ Verify bind user has write permissions

• ✅ Check DN exists (for modify/delete) or parent exists (for add)

• ✅ Confirm attribute syntax matches schema requirements

• ✅ For add: ensure all required attributes are provided

• ✅ For modify: verify attributes exist before deleting

• ✅ Check for constraints (unique attributes, referential integrity)

• ✅ Cannot delete entries with children (delete children first)

Performance Problems

Problem: Queries are slow or timeout.

Solutions:

• ✅ Add indexes to frequently filtered attributes on LDAP server

• ✅ Use more specific filters to reduce result set size

• ✅ Implement pagination for large result sets

• ✅ Limit attributes retrieved with attributes parameter

• ✅ Use appropriate scope (avoid "subtree" when possible)

• ✅ Increase timeout value for complex queries

• ✅ Check LDAP server performance and load