Feature request: Filters for `ldap_object` data source

[zanecodes]

In addition to my use case in https://github.com/dodevops/terraform-provider-ldap/issues/5, I'd like to be able to search for a service account in Microsoft Active Directory by its servicePrincipalName attribute, since it must match the Vault server's hostname in order for Kerberos SPNEGO authentication to work correctly.

Several other LDAP providers support searching functionality, but have other downsides:

• trevex/ldap is missing documentation on the Terraform registry, and has not been updated in 2 years and appears unmaintained
• l-with/ldap only returns attributes as a JSON string, which is inconvenient for usage

With that in mind, I would like to add the following optional attributes to the ldap_object data source:

• base_dn (mutually exclusive with the existing dn attribute)
• scope (may only be specified with base_dn, defaults to "baseObject")
• filter (may only be specified with base_dn, defaults to "(&)")

This would be backwards compatible with the existing interface, as specifying only the dn attribute would behave the same as it does now, while specifying any of base_dn, scope, and filter would allow the user more flexibility.

I have a branch on my fork implementing this feature and would love to open a pull request and iterate on it.

[dploeger]

It's a great idea to have that. I'd suggest to implement this feature in a second DataSource (e.g. ldap_search) to separate getting one object instead of multiple objects.

[zanecodes]

That sounds like a good idea, I'll see what I can come up with! For my use case, I'm not concerned with searching for multiple objects, but it does seem like a valuable scenario to support.

I've half considered implementing the filter attribute as a Map of attribute/value pairs like trevex/ldap does, which would be transformed into an ANDed filter string, e.g.

ldap_object {
  base_dn = "dc=example,dc=com"
  scope = "wholeSubtree"
  filter = {
    uid = "example"
    memberOf = "cn=users,dc=example,dc=com"
  }
}

would produce the filter (&(uid=example)(memberOf=cn=users,dc=example,dc=com)).

However, this would substantially reduce the flexibility of the data source by limiting the filters that can be used, without (in my opinion) providing a significant benefit for users, since incorrectly constructed filters would produce an error during Terraform's plan phase because this is a data source.

[dploeger]

I'd say, keep it simple. Just use a string as a filter and you have the full flexibility.

[gthieleb]

I like the idea of having a search functionality instead of hardcoding the object that should be linked. In another provider I have seen that they make use of scope property to limit a nested search in the AD. Would you think to make this part of the search string?

[dploeger]

No, the scope should be a parameter as suggested. I just wouldn't implement structured fields that would build a search string.

[dploeger]

Oh. I just saw that I haven't reviewed the linked PR. Will do so tomorrow. Sorry for the wait.

[dploeger]

Released in 0.3.0