LDAP Source Node

The ldapsource node queries an LDAP/Active Directory server and emits each matching entry as a record in the pipeline. It supports paged result sets for large directories and flexible search scopes.

Typical use cases include ingesting user accounts, group memberships, and device records from corporate Active Directory or OpenLDAP servers into downstream processing pipelines.

Key Features

Paged results: fetches large result sets in pages to avoid server-side size limits
Attribute projection: retrieve all attributes or restrict to a named list
Search scopes: SUBTREE (default), ONELEVEL, or OBJECT — controls how deep to search below the base DN
Batch source: runs the search once and terminates when all entries are consumed

Configuration

Field	Type	Required	Default	Description
`ldapUrl`	`String`	Yes	—	LDAP server URL, e.g. `ldap://ldap.example.com:389` or `ldaps://ldap.example.com:636`
`credentialId`	`String`	No	—	ID of bind credentials (username = bind DN, password = bind password) in `jobContext.otherProperties`
`baseDn`	`String`	Yes	—	Base DN for the search, e.g. `dc=example,dc=com`
`searchFilter`	`String`	Yes	—	LDAP search filter, e.g. `(objectClass=person)`
`attributes`	`List<String>`	No	—	Attributes to return. Omit or set to `null` to return all attributes
`searchScope`	`String`	No	`SUBTREE`	Search depth: `SUBTREE`, `ONELEVEL`, or `OBJECT`
`pageSize`	`int`	No	`1000`	Number of entries to retrieve per paged request
`timeLimitMs`	`int`	No	`30000`	Maximum time in milliseconds for the search operation

Search Scopes

Scope	Description
`SUBTREE`	Search the base DN and all entries in its subtree (recursive)
`ONELEVEL`	Search only the direct children of the base DN
`OBJECT`	Return only the base DN entry itself

LDAP filters follow RFC 4515 syntax:

# All person entries
(objectClass=person)

# Active Directory users only (not disabled)
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Group members
(memberOf=cn=Engineers,ou=Groups,dc=example,dc=com)

# Entries modified in a specific range (requires server support)
(whenChanged>=20240101000000.0Z)

DAG Example

jobContext:
  otherProperties:
    ldap-cred:
      username: "cn=readonly,dc=example,dc=com"
      password: "bindpassword"
  metricTags: {}
  dlqConfig:

dag:
  - id: "source"
    commandName: "ldapsource"
    config:
      ldapUrl: "ldap://ldap.example.com:389"
      credentialId: "ldap-cred"
      baseDn: "ou=Users,dc=example,dc=com"
      searchFilter: "(objectClass=person)"
      attributes:
        - "cn"
        - "mail"
        - "uid"
        - "department"
      searchScope: "SUBTREE"
      pageSize: 500
    outputs:
      - "sink"

  - id: "sink"
    commandName: "stdout"
    config:
      encodingType: "JSON_OBJECT"

Credentials

The credentialId references bind credentials stored in jobContext.otherProperties:

jobContext:
  otherProperties:
    ldap-cred:
      username: "cn=serviceaccount,ou=ServiceAccounts,dc=example,dc=com"
      password: "secret"

If credentialId is omitted, an anonymous bind is attempted.

Output Format

Each LDAP entry is emitted as a flat JSON object where keys are attribute names and values are either a single string (single-valued attributes) or an array of strings (multi-valued attributes):

{
  "cn": "Alice Smith",
  "mail": "alice@example.com",
  "memberOf": ["cn=Eng,dc=example,dc=com", "cn=AllStaff,dc=example,dc=com"],
  "uid": "asmith"
}

jdbcsink: Persist LDAP entries to a relational database
kafkasink: Stream LDAP entries to a Kafka topic

Key Features​

Configuration​

Search Scopes​

Search Filter Syntax​

DAG Example​

Credentials​

Output Format​

Related Nodes​