Skip to main content

LDAP Source Node

The ldapsource node queries an LDAP/Active Directory server and emits each matching entry as a record in the pipeline. It supports paged result sets for large directories and flexible search scopes.

Typical use cases include ingesting user accounts, group memberships, and device records from corporate Active Directory or OpenLDAP servers into downstream processing pipelines.

Key Features

  • Paged results: fetches large result sets in pages to avoid server-side size limits
  • Attribute projection: retrieve all attributes or restrict to a named list
  • Search scopes: SUBTREE (default), ONELEVEL, or OBJECT — controls how deep to search below the base DN
  • Batch source: runs the search once and terminates when all entries are consumed

Configuration

FieldTypeRequiredDefaultDescription
ldapUrlStringYesLDAP server URL, e.g. ldap://ldap.example.com:389 or ldaps://ldap.example.com:636
credentialIdStringNoID of bind credentials (username = bind DN, password = bind password) in jobContext.otherProperties
baseDnStringYesBase DN for the search, e.g. dc=example,dc=com
searchFilterStringYesLDAP search filter, e.g. (objectClass=person)
attributesList<String>NoAttributes to return. Omit or set to null to return all attributes
searchScopeStringNoSUBTREESearch depth: SUBTREE, ONELEVEL, or OBJECT
pageSizeintNo1000Number of entries to retrieve per paged request
timeLimitMsintNo30000Maximum time in milliseconds for the search operation

Search Scopes

ScopeDescription
SUBTREESearch the base DN and all entries in its subtree (recursive)
ONELEVELSearch only the direct children of the base DN
OBJECTReturn only the base DN entry itself

Search Filter Syntax

LDAP filters follow RFC 4515 syntax:

# All person entries
(objectClass=person)

# Active Directory users only (not disabled)
(&(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

# Group members
(memberOf=cn=Engineers,ou=Groups,dc=example,dc=com)

# Entries modified in a specific range (requires server support)
(whenChanged>=20240101000000.0Z)

DAG Example

jobContext:
otherProperties:
ldap-cred:
username: "cn=readonly,dc=example,dc=com"
password: "bindpassword"
metricTags: {}
dlqConfig:

dag:
- id: "source"
commandName: "ldapsource"
config:
ldapUrl: "ldap://ldap.example.com:389"
credentialId: "ldap-cred"
baseDn: "ou=Users,dc=example,dc=com"
searchFilter: "(objectClass=person)"
attributes:
- "cn"
- "mail"
- "uid"
- "department"
searchScope: "SUBTREE"
pageSize: 500
outputs:
- "sink"

- id: "sink"
commandName: "stdout"
config:
encodingType: "JSON_OBJECT"

Credentials

The credentialId references bind credentials stored in jobContext.otherProperties:

jobContext:
otherProperties:
ldap-cred:
username: "cn=serviceaccount,ou=ServiceAccounts,dc=example,dc=com"
password: "secret"

If credentialId is omitted, an anonymous bind is attempted.

Output Format

Each LDAP entry is emitted as a flat JSON object where keys are attribute names and values are either a single string (single-valued attributes) or an array of strings (multi-valued attributes):

{
"cn": "Alice Smith",
"mail": "alice@example.com",
"memberOf": ["cn=Eng,dc=example,dc=com", "cn=AllStaff,dc=example,dc=com"],
"uid": "asmith"
}
  • jdbcsink: Persist LDAP entries to a relational database
  • kafkasink: Stream LDAP entries to a Kafka topic