LDAP endpoints

Use the v2 ldap endpoints to get information about your LDAP directory service connections.

Use the v1 LDAP endpoints to test and configure LDAP connections.

GET /ldap

Get details of configured LDAP connections. Authentication is required.

Request format

When Forming RBAC API requests to this endpoint, the request is a basic call with authentication, for example:
curl "https://$(puppet config print server):4433/rbac-api/v2/ldap" -H "X-Authentication:$(puppet-access show)"

Response format

A successful request returns an array of objects in which each object represents one LDAP server's External directory settings. For example, this response contains information for one LDAP server:
[
  {
    "help_link": "",
    "ssl": false,
    "group_name_attr": "name",
    "group_rdn": "ou=groups",
    "connect_timeout": 10,
    "user_display_name_attr": "*",
    "disable_ldap_matching_rule_in_chain": false,
    "ssl_hostname_validation": true,
    "hostname": "ldap.internal",
    "base_dn": "dc=glauth,dc=com",
    "user_lookup_attr": "cn",
    "port": 3893,
    "login": "cn=serviceuser,ou=svcaccts,dc=glauth,dc=com",
    "group_lookup_attr": "cn",
    "group_member_attr": "uniqueMember",
    "id": "e97188aa-9573-413b-945e-07f5f261613e",
    "ssl_wildcard_validation": false,
    "user_email_attr": "mail",
    "user_rdn": "ou=users",
    "group_object_class": "groupOfUniqueNames",
    "display_name": "ldap.internal",
    "search_nested_groups": true,
    "start_tls": false
  }
]
You must have the directory_service:edit:* permission to get complete responses. Otherwise, responses are limited to the id and display_name, for example:
[
  {
    "id": "e97188aa-9573-413b-945e-07f5f261613e",
    "display_name": "ldap.internal"
  }
]

An empty array means there are no LDAP connections configured.

For error responses, refer to RBAC service errors.

GET /ldap/<id>

Get details for a specific LDAP connection. Authentication is required.

Request format

When Forming RBAC API requests to this endpoint, the request is a basic call with authentication and a specific LDAP connection ID, for example:
curl "https://$(puppet config print server):4433/rbac-api/v2/ldap/e97188aa-9573-413b-945e-07f5f261613e" \
-H "X-Authentication:$(puppet-access show)"

You can use GET /ldap to get the id.

Response format

A successful request returns an object containing the connection's External directory settings. For example:
{
  "help_link": "",
  "ssl": false,
  "group_name_attr": "name",
  "group_rdn": "ou=groups",
  "connect_timeout": 10,
  "user_display_name_attr": "*",
  "disable_ldap_matching_rule_in_chain": false,
  "ssl_hostname_validation": true,
  "hostname": "ldap.internal",
  "base_dn": "dc=glauth,dc=com",
  "user_lookup_attr": "cn",
  "port": 3893,
  "login": "cn=serviceuser,ou=svcaccts,dc=glauth,dc=com",
  "group_lookup_attr": "cn",
  "group_member_attr": "uniqueMember",
  "id": "e97188aa-9573-413b-945e-07f5f261613e",
  "ssl_wildcard_validation": false,
  "user_email_attr": "mail",
  "user_rdn": "ou=users",
  "group_object_class": "groupOfUniqueNames",
  "display_name": "ldap.internal",
  "search_nested_groups": true,
  "start_tls": false
}
You must have the directory_service:edit:* permission to get all keys. Otherwise, responses are limited to the id and display_name, for example:
{
  "id": "e97188aa-9573-413b-945e-07f5f261613e",
  "display_name": "ldap.internal"
}

For error responses, refer to RBAC service errors.

GET /ds (deprecated)

Get information about your directory service. Authentication is required.

Important: GET /ds is deprecated. Instead, use GET /ldap.

Request format

When Forming RBAC API requests to this endpoint, the request is a basic call with authentication, such as:
curl "https://$(puppet config print server):4433/rbac-api/v2/ds" -H "X-Authentication:$(puppet-access show)"

Response format

Returns an array of objects, where each object represents a currently-configured LDAP server. For example, this response contains information for one LDAP server:
[
  {
    "id": "6e33eb78-820f-463a-a65c-e1ef291d59a8",
    "help_link": "https://help.example.com",
    "ssl": true,
    "group_name_attr": "name",
    "group_rdn": null,
    "connect_timeout": 15,
    "user_display_name_attr": "cn",
    "disable_ldap_matching_rule_in_chain": false,
    "ssl_hostname_validation": true,
    "hostname": "ldap.example.com",
    "base_dn": "dc=example,dc=com",
    "user_lookup_attr": "uid",
    "port": 636,
    "login": "cn=ldapuser,ou=service,ou=users,dc=example,dc=com",
    "group_lookup_attr": "cn",
    "group_member_attr": "uniqueMember",
    "ssl_wildcard_validation": false,
    "user_email_attr": "mail",
    "user_rdn": "ou=users",
    "group_object_class": "groupOfUniqueNames",
    "display_name": "Acme Corp Ldap server",
    "search_nested_groups": true,
    "start_tls": false
  }
]

Returns an empty array if no LDAP servers are configured.

You must have the directory_service:edit permission to view all fields; otherwise, only the display name of the directory server is returned.

For information about each setting, refer to External directory settings.

For errors, refer to RBAC service errors.