Whatever message this page gives is out now! Go check it out!

cfldap

Last update:
May 18, 2026

Description

Provides an interface to a Lightweight Directory Access Protocol (LDAP) directory server, such as the Netscape Directory Server.

Category

Internet protocol tags

Syntax

<cfldap 
action = "action" 
server = "server name" 
attributes = "attribute, attribute" 
delimiter = "delimiter character" 
dn = "distinguished name" 
filter = "filter" 
maxRows = "number" 
modifyType = "replace|add|delete" 
name = "name" 
password = "password" 
port = "port number" 
rebind = "yes|no" 
referral = "number of allowed hops" 
returnAsBinary = "column name, column name" 
scope = "scope" 
secure = "multifield security string" 
separator = "separator character" 
sort = "attribute[, attribute]..." 
sortControl = "nocase|desc|asc" 
start = "distinguished name" 
startRow = "row number" 
timeout = "milliseconds" 
username = "user name"
clientcert = "path to client certificate"
clientcertpassword = "password for the client certificate"
usetls = "true|false">
Note:
You can specify this tag's attributes in an attributeCollection attribute whose value is a structure. Specify the structure name in the attributeCollection attribute and use the tag's attribute names as structure keys.

See also

cfftp cfhttp cfmail cfmailparam cfpop Managing LDAP Directories  in the Developing ColdFusion Applications

History

ColdFusion 11: Added 3 new attributes: clientcert, clientcertpassword, and usetls. Removed the filterFile attribute.
ColdFusion 8: Added the ability to use a comma as a delimiter when specifying a list of variables in the returnAsBinary attribute, for example, returnAsBinary="objectGUID,objectSID". Previously, the allowed delimiter was a space.ColdFusion MX 7: Added the returnAsBinary attribute. Added SSL V2 client based authentication; this means that ColdFusion supports the CFSSL_CLIENT_AUTH option. If CFSSL_CLIENT_AUTH is selected, ColdFusion assumes that the first certificate in the cacerts (or the certificate database) contains the Client Certificate.ColdFusion MX:
  • Changed the name attribute behavior: this tag validates the query name in the name attribute.
  • Changed sorting behavior: this tag does not support client-side sorting of query results. (It supports server-side sorting; use the sort and sortcontrol attributes.)
  • Changed how results are sorted: server-side sorting results might be sorted slightly differently than in ColdFusion 5. If you attempt a sort against a server that does not support it, ColdFusion MX throws an error.
  • Deprecated the filterConfig and filterFile attributes. They might not work, and might cause an error, in later releases.

Attributes

AttributeReq/OptDefaultDescription
action
Required
query
  • query: returns LDAP entry information only. Requires name, start, and attributes attributes.
  • add: adds LDAP entries to LDAP server. Requires attributes attribute.
  • modify: modifies LDAP entries, except distinguished name dn attribute, on LDAP server. Requires dn. See modifyType attribute.
  • modifyDN: modifies distinguished name attribute for LDAP entries on LDAP server. Requires dn.
  • delete: deletes LDAP entries on an LDAP server. Requires dn.
server
Required
Host name or IP address of LDAP server.
attributes
Required if action = "Query", "Add", "ModifyDN", or "Modify"
For queries: comma-delimited list of attributes to return. For queries, to get all attributes, specify "*". If action = "add" or "modify", you can specify a list of update columns. Separate attributes with a semicolon. If action = "ModifyDN", ColdFusion passes attributes to the LDAP server without syntax checking.
delimiter
Optional
; (semicolon)
Separator between attribute name-value pairs. Use this attribute if either of these situations exist:
  • The attributes attribute specifies more than one item.
  • An attribute contains the default delimiter (semicolon), for example: mgrpmsgrejecttext;lang-en Used by query, add, and modify actions, and by cfldap to output multi-value attributes. For example, if $ (dollar sign), you could specify "cn = Double Tree Inn$street = 1111 Elm; Suite 100, where the semicolon is part of the street value.
dn
Required if action = "Add","Modify", "ModifyDN", or "delete"
Distinguished name, for update action, for example, "cn = Bob Jensen, o = Ace Industry, c = US"
filter
Optional
"objectclass = *"
Search criteria for action = "query". List attributes in the form: "(attribute operator value)" For example: "(sn = Smith)"
maxRows
Optional
Maximum number of entries for LDAP queries.
modifyType
Optional
replace
How to process an attribute in a multi-value list:
  • add: appends it to any attributes.
  • delete: deletes it from the set of attributes.
  • replace: replaces it with specified attributes. You cannot add an attribute that is already present or that is empty.
name
Required if action = "Query"
Name of LDAP query. The tag validates the value.
password
Required if secure = "CFSSL_BASIC"
Password that corresponds to user name. If secure = "CFSSL_BASIC", V2 encrypts the password before transmission.
port
Optional
389
Port.
rebind
Optional
no
  • yes: attempts to rebind referral callback and reissue query by referred address using original credentials.
  • no: referred connections are anonymous.
referral
Optional
Integer. Number of hops allowed in a referral. A value of 0 disables referred addresses for LDAP; no data is returned.
returnAsBinary
Optional
A space-delimited list of columns that are to be returned as binary values.
scope
Optional
oneLevel
Scope of search, from entry specified in start attribute for action = "Query".
  • oneLevel: entries one level below entry.
  • base: only the entry.
  • subtree: entry and all levels below it.
secure
Optional
Security to employ, and required information. If you specify this attribute, its value must be one of the following:
  • CFSSL_BASIC - Provides V2 SSL encryption and server authentication.
  • CFSSL_CLIENT_AUTH - This is mandatory if client certificate based authentication is to be used with CFLDAP tag . This is to be used with
    clientcert and clientcertpassword.
separator
Optional
, (comma)
Delimiter to separate attribute values of multi-value attributes. Used by query, add, and modify actions, and by cfldap to output multi-value attributes. For example, if $ (dollar sign), the attributes attribute could be "objectclass = top$person", where the first value of objectclass is top, and the second value is person. This avoids confusion if values include commas.
sort
Optional
Attributes by which to sort query results. Use a comma delimiter.
sortControl
Optional
asc
  • nocase: case-insensitive sort.
  • asc: ascending (a to z) case-sensitive sort.
  • desc: descending (z to a) case-sensitive sort. You can enter a combination of sort types; for example, sortControl = "nocase, asc".
start
Required if action = "Query"
Distinguished name of entry to be used to start a search.
startRow
Optional
1
Used with action = "query". First row of LDAP query to insert into a ColdFusion query.
timeout
Optional
60000
Maximum length of time, in milliseconds, to wait for LDAP processing.
username
Required if secure = "CFSSL_BASIC"
(anonymous)
User ID.
clientcertOptional The full path to the key store file that contains the client certificate.
clientcertpasswordOptional Password for the client certificate.
usetlsOptionaltrue/falseWhether to use the startTls extension for initiating SSL over normal LDAP port.

Usage

If you use the query action, cfldap creates a query object, allowing access to information in the query variables, as follows:
Variable nameDescription
queryname.recordCount
Number of records returned by query
queryname.currentRow
Current row of query that cfoutput is processing
queryname.columnList
Column names in query
If you use the security="CFSSL_BASIC" option, ColdFusion determines whether to trust the server by comparing the server's certificate with the information in the jre/lib/security/cacerts keystore of the JRE used by ColdFusion. The ColdFusion default cacerts file contains information about many certificate granting authorities. If you must update the file with additional information, you can use the keytool utility in the ColdFusion jre/bin directory to import certificates that are in X.509 format. For example, enter the following:
keytool -import -keystore cacerts -alias ldap -file ldap.crt -keypass bl19mq
Then restart ColdFusion. The keytool utility initial keypass password is "change it". For more information on using the keytool utility, see the Sun JDK documentation.Characters that are illegal in ColdFusion can be used in LDAP attribute names. As a result, the cfldap tag could create columns in the query result set whose names contain illegal characters and are, therefore, inaccessible in CFML. In ColdFusion, illegal characters are automatically mapped to the underscore character; therefore, column names in the query result set might not exactly match the names of the LDAP attributes. For usage examples, see the Developing ColdFusion Applications.
Note:
Windows only
If the load is high and  cfldap produces errors, then chances are that all ephemeral TCP ports are in use. Therefore, no new port can be allocated to a new client connection request.
To resolve the issue, open the registry editor and locate the registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, and add a new entry as shown below:
  • Value Name: MaxUserPort
  • Value Type: DWORD
  • Value data: 65534

Example

<h3>cfldap Example</h3> 
<p>Provides an interface to LDAP directory servers. The example uses the 
University of Connecticut public LDAP server. For more public LDAP servers, 
see <a href="http://www.emailman.com">http://www.emailman.com</a>.</p> 
<p>Enter a name and search the public LDAP resource. 
An asterisk before or after the name acts as a wildcard.</p> 
<!--- If form.name exists, the form was submitted; run the query. ---> 
<cfif IsDefined("form.name")> 
<!--- Check to see that there is a name listed. ---> 
<cfif form.name is not ""> 
<!--- Make the LDAP query. ---> 
<cfldap 
server = "ldap.uconn.edu" 
action = "query" 
name = "results" 
start = "dc=uconn,dc=edu" 
filter = "cn=#name#" 
attributes = "cn,o,title,mail,telephonenumber" 
sort = "cn ASC"> 
<!--- Display results. ---> 
<center> 
<table border = 0 cellspacing = 2 cellpadding = 2> 
<tr> 
<th colspan = 5> 
<cfoutput>#results.recordCount# matches found </cfoutput></TH> 
</tr> 
<tr> 
<th><font size = "-2">Name</font></TH> 
<th><font size = "-2">Organization</font></TH> 
<th><font size = "-2">Title</font></TH> 
<th><font size = "-2">E-Mail</font></TH> 
<th><font size = "-2">Phone</font></TH> 
</tr> 
<cfoutput query = "results"> 
<tr> 
<td><font size = "-2">#cn#</font></td> 
<td><font size = "-2">#o#</font></td> 
<td><font size = "-2">#title#</font></td> 
<td><font size = "-2"> 
<A href = "mailto:#mail#">#mail#</A></font></td> 
<td><font size = "-2">#telephonenumber#</font></td> 
</tr> 
</cfoutput> 
</table> 
</center> 
</cfif> 
</cfif> 

<form action="#cgi.script_name#" method="POST"> 
<p>Enter a name to search in the database.</p> 
<input type="Text" name="name"> 
<input type="Submit" value="Search" name=""> 
</form>
Note:
Using ldap modifyDN (rename operation) you can move an entry from one point in the tree to another point in the tree. For example, refer to the following scenarios:
  • To modify the RDN of an entry (within the tree), specify new RDS attribute with value as a key value pair in attributes argument.
<cfldap action="modifyDN" attributes="cn=Accounting Officers" dn="cn=QA Managers,ou=Groups,dc=example,
dc=com" server="localhost" port="10389" username="uid=admin,ou=system" password
="Password@123" >
  • To move an entry completely to another ldap tree, specify the targetDN in the attributes argument to move the entry to a new location
<cfldap action="modifyDN" attributes="cn=Accounting Managers,ou=Special Users,dc=example,dc=com" 
dn="cn=Accounting Managers,ou=Groups,dc=example,
dc=com" server="localhost" port="10389" username="uid=admin,ou=system" password
="Password@123" >

Share this page

Was this page helpful?
We're glad. Tell us how this page helped.
We're sorry. Can you tell us what didn't work for you?
Thank you for your feedback. Your response will help improve this page.

On this page