Use this if:
- If you need to dereference members of a simple LDAP loader group
- You have a Group hasMember that has User DN values
- The users don't have memberOf
- The RDN in the user DN is not a subject ID or identifier
- There are not that many lookups per day (e.g. less than a couple thousand after a cache is used)
Note, the cache is shared with other jobs with the same ldapLookup settings
Group in LDAP
User in LDAP
Ignore the fact that the RDN of the user DN has the subject ID in it in this example. If that is the case for you, you can simply unpack that
The loader job will:
- Filter the group
- Return the DN's of the users
- Lookup those DN's in memory cache (if exist use those)
- Lookup those DN's in LDAP (if not exist in cache)
- Get the uid attribute
- Use that as the subjectId
The important part of this config is the subject expression:
${ldapLookup.assignLdapConfigId('personLdap').assignAttributeNameResult('uid').assignCacheForMinutes(24*60).assignSearchDn('%TERM%').assignTerm(subjectId).doLookup()}
Each time you run the job it will LDAP lookup each subject if it hasn't looked that up in the last amount of cache minutes (in this case one day)
