Chapter 6. Searching & Comparing Directory Data

Traditionally directories excel at serving read requests. This chapter covers the read (search and compare) capabilities that OpenDJ LDAP Java SDK provides. The data used in examples here is available online.

An LDAP search looks up entries based on the following parameters.

  • A filter that indicates which attribute values to match

  • A base DN that specifies where in the directory information tree to look for matches

  • A scope that defines how far to go under the base DN

  • A list of attributes to fetch for an entry when a match is found

For example, imagine you must write an application where users login using their email address and a password. After the user logs in, your application displays the user's full name so it is obvious who is logged in. Your application is supposed to go to the user directory both for authentication, and also to read user profile information. You are told the user directory stores user profile entries under base DN ou=People,dc=example,dc=com, that email addresses are stored on the standard mail attribute, and full names are store on the standard cn attribute.

You figure out how to authenticate from the chapter on authentication, in which you learn you need a bind DN and a password to do simple authentication. But how do you find the bind DN given the email? How do you get the full name?

The answer to both questions is that you do an LDAP search for the user's entry, which has the DN that you use to bind, and you have the server fetch the cn attribute in the results. Your search uses the following parameters.

  • The filter is (mail=emailAddress), where emailAddress is the email address the user provided.

  • The base DN is the one given to you, ou=People,dc=example,dc=com.

  • For the scope, you figure the user entry is somewhere under the base DN, so you opt to search the whole subtree.

  • The attribute to fetch is cn.

The following code excerpt demonstrates how this might be done in a minimal command-line program.

// Prompt for mail and password.
Console c = System.console();
if (c == null) {
    System.err.println("No console.");
    System.exit(1);
}

String mail = c.readLine("Email address: ");
char[] password = c.readPassword("Password: ");

// Search using mail address, and then bind with the DN and password.
final LDAPConnectionFactory factory = new LDAPConnectionFactory(host,
        port);
Connection connection = null;
try {
    connection = factory.getConnection();

    // No explicit bind yet so we remain anonymous for now.
    SearchResultEntry entry = connection.searchSingleEntry(baseDN,
            SearchScope.WHOLE_SUBTREE, "(mail=" + mail + ")", "cn");
    DN bindDN = entry.getName();
    connection.bind(bindDN.toString(), password);

    String cn = entry.getAttribute("cn").firstValueAsString();
    System.out.println("Hello, " + cn + "!");
} catch (final ErrorResultException e) {
    System.err.println("Failed to bind.");
    System.exit(e.getResult().getResultCode().intValue());
    return;
} finally {
    if (connection != null) {
        connection.close();
    }
}

For a complete example in context, see SearchBind.java, one of the OpenDJ LDAP SDK examples.