Use this if:
- If you need to dereference members of a simple LDAP loader group
- You have a Group hasMember that has User lookup values by filter
- The users don't have memberOf
- The attribute that looks up user cannot be converted by text manipulation to subjectId or subjectIdentifier
- There are not that many lookups per day (e.g. less than a couple thousand after cache used)
Group in LDAP
User in LDAP
Ignore the fact that the RDN of the user DN has the subject ID in it in this example. If that is the case for you, you can simply unpack that
Ignore the fact that the uniqueMember is a DN. If that is the case you can search by DN
The loader job will:
- Filter the group
- Return the attribute of the users
- In this case, massage the attribute value to the RDN value, but you might not need this (using loaderLdapElUtils.convertDnToSpecificValue())
- Check the memory cache to see if the value has been looked up recently, if so, use that value
- Run LDAP filters based on that attribute
- Get the uid attribute of the user (and add to cache)
- Use that as the subjectId
The important part of this config is the subject expression:
${ldapLookup.assignLdapConfigId('personLdap').assignTerm(loaderLdapElUtils.convertDnToSpecificValue(subjectId)).assignSearchDn('ou=People,dc=example,dc=edu').assignSearchScope('SUBTREE_SCOPE').assignFilter('(uid=%TERM%)').assignAttributeNameResult('uid').assignCacheForMinutes(24*60).doLookup()}
Each time you run the job it will LDAP filter each subject if it has not done so recently (TTL set in cache timeout)
