LDAP Assignment Handler

Documentation home

Overview. 1

Configuring the LDAP. 1 Assignment Handler

LDAP Properties

Custom Assignment 3

LDAP Search Filter 4

Assignment to a Person
Assignment to a Group

 

 

See also:       Configuring LDAP Based Security

 

 

Overview

 

Workflow task assignment can be directed to the LDAP Assignment Handler designed specifically to allow workflow tasks to be assigned to resources in a LDAP directory service.

 

 

Configuring the LDAP Assignment Handler

 

To use the LDAP Assignment Handler replace the default Ebase Assignment Handler in the UFSSetup.properties file:

 

Workflow.AssignmentHandler=com.ebasetech.ufs.workflow.LdapAssignmentHandler

 

 

LDAP Properties

 

The LDAP Assignment Handler requires LDAP properties to be configured in the UFSSetup.properties file to perform the authentication and search. Please refer to the section on Configuring LDAP Properties on LDAP_Security.htm for detailed descriptions of each property.

 

The following configuration is an OpenLDAP example:

 

ldap.registryHost=localhost

ldap.registryPort=389

ldap.baseDistinguishedName=dc=ebasetech,dc=com

ldap.userKeyAttributeName=uid

ldap.bindDistinguishedName= cn=Admin,dc=ebasetech,dc=com

ldap.bindPassword=secret

ldap.userRoleAttributeName=description

ldap.debug=true

ldap.cacheRefreshPeriod=120

 

The ldap.baseDistinguishedName property defines the search base and this should be set to the root directory where all the user and group objects are located.

 

 

Custom Assignment

 

To assign tasks to resources in the LDAP directory, select custom assignment in the Resources tab of the Task Node Configuration. The custom assignment allows for single actor assignment or multiple actors assignment. A filter string is required to perform a search on the LDAP directory objects. This is the assignment expression and the results of the search become the assigned or assignable actors.

 

 

In order to use this, it will be necessary to understand the filter string syntax.

 

 

LDAP Search Filter

 

The filter string works with an LDAP search filter string based on the RFC specification for searching an LDAP directory. A search filter is a search query expressed in the form of a logical expression. The syntax of search filters accepted is described in RFC 2254.

 

The following table lists some search filter operations.

 

Symbol

Filter

~=

Approximate

=

Equality

> 

Greater than

>=

Greater than or equal to

< 

Less than

<=

Less than or equal to

=*

Presence of attribute. E.g: sn=* 

*

Wildcard string match. E.g. sn=Bl*s

&

And. E.g: (&(sn=Bloggs)(initials=JB))

|

Or. E.g: (!(sn=Bloggs)(initials=JB))

!

Not

 

 

Assignment to a Person

 

To assign a task to a single actor, select Person assignment. The filter search string can specify an object class.

There are a number of standard LDAP object classes that can be used to define a user. The inetOrgPerson object class is recommended as it includes a standard uid attribute useful for representing the user logon id.

 

Example search strings to assign to a single actor:

 

Assignment to Joe Bloggs.

 

          (cn=Joe Bloggs)


Assignment to object other than Joe Bloggs.

 

          (!(cn=Joe Bloggs))

 

Assignment to a Person object whose surname is Bloggs and name begins with J.

 

          (&(objectClass=Person)(|(sn= Bloggs)(cn=J*)))

 

Assignment to a internet organisation person with common name Joe Bloggs.

 

          (&(objectClass=inetOrgPerson)(cn=Joe Blogss))

 

In each of the cases above the filter searches the directory performing an equality search.

 

 

Assignment to a Group

 

To assign a task to multiple actors, select Group assignment. Enter a filter search string with the object class groupOfNames. The groupOfNames object is a standard LDAP object class which includes a member attribute for adding users to the group.

 

Active Directory supports the standard groupOfNames object class but has an additional object class of group which can also be used.

 

Example search strings to assign to multiple actors:

 

Assignment to a groupOfNames object with common name IT People.

 

          (&(objectClass=groupOfNames)(cn=IT People))

 

Assignment for Active Directory to a group or groupOfNames object with common name IT People.

 

          (&(|(objectClass=group)(objectClass=groupOfNames))(cn= IT People))

 

Assignment for multiple group objects, IT People or Admin.

 

          (&(objectClass=groupOfNames)(|(cn=IT People)(cn=Admin)))

 

 

Further Reading

 

RFC 2254: The String Representation of LDAP Search Filters

http://rfc.net/rfc2254.html

 

Apache Directory Services

http://directory.apache.org/

 

Apache Directory Studio

This LDAP browser / editor is a complete directory tooling platform compatible with any LDAP server.

http://directory.apache.org/studio/

 

OpenLDAP

http://www.openldap.org/