[Quick Hint] Working with AD in vRO with plugin and ldapClient

There are two ways to get data form AD in vRealize Orchestrator with plugin and with ldapClient. Native ldapClient is much more powerful but also a bit more complicated in use. In this short post I’ll show you how to use both. First we will find user email for a known user account name and next we will find a user account name based on his email. As we all know one can bind the user name or its email on a XaaS form in vRA quite easily.

Lets start with finding user email for a known AD account name with AD plugin. First we need to clean a user name that was passed form vRA. vRA will pass user name in format user@domain we need only account name. The next step is to find a proper AD endpoint to work with. If your vRO have only one AD endpoint you can just take first one form findAllHosts function like this: var adHosts = AD_HostManager.findAllHosts()[0];

For me it is bit more complicated therefore second input to this action is domain name I want to do a search in. Once we have AD endpoint set we can use library function searchExactMatch to find the user. Using this function you can also search for groups, OUs or computer accounts. Just change the first argument form “User” to “UserGroup”, “OrganizationalUnit” or “ComputerAD” respectively. Function searchExactMatch returns an array, therefore we take only first element here. User names should be unique 😉 Once you have a AD:User object you can get any of its attributes with getAttribute function.

Working with vRO AD plugin FindUsereEmail Example:

//user - user name 
//adName - ad server endpoint domain name 

user = user.split("@")[0]; //cleanup user name format from user@domain to user 
var adHosts = AD_HostManager.findAllHosts();
var adUser = null;
var adHostFound = null;
for each( var host in adHosts){
	var adHost = host.hostConfiguration
	if (adHost.defaultDomain.indexOf(adName) != -1) {
		System.debug("Found AD host: " + adHost.defaultDomain);
		adHostFound = adHost
//Find user
adUser = ActiveDirectory.searchExactMatch("User", user, 1, adHostFound)[0];
if (adUser){
	//get email atribute
	email = adUser.getAttribute("mail");
	System.debug("Email: " + email);
	return email;

return null;

Now we want to find a user based on it’s email. Library functions will not help us here searchExactMatch will not find AD record based on a random attribute. Therefore we will use ldapClient.

Except standard inputs for searched email and domain name to find a proper endpoint. We will need here LDAP DN which is used by searchForEntry function. Additionally we have to crate an array of attribute names we want to get back when we will find the object, this is ATTRIBS table.

Once we have a proper AD endpoint we run the search query with searchForEntry and if we will find the object we can get any of the predefined attributes with getAttributeValue function. At the end we close the AD connection.

Working with ldapClient FindUserAccountName example:

//email - searched email 
//adName - ad server endpoint domain name
//LdapDn = domain DN example: "DC=DOMAIN,DC=COM" 

//Attributes we want to get for the object 
var ATTRIBS = ['dn','cn','objectClass','mail','displayName','gidNumber','sAMAccountName'];
var adHosts = AD_HostManager.findAllHosts();

for each(var adHost in adHosts){
	if(adHost.defaultDomain.indexOf(adName) > -1){	
		var ldapClientObj = adHost.getLdapClient(); 
		var entryObj = ldapClientObj.searchForEntry(LDAP_DN, LdapSearchScope.SUB, 0, "(&(objectClass=user)(mail=" + email + "))", ATTRIBS);
		if(entryObj != null && entryObj !== undefined){
			//get account name atribute
		 	var userName = entryObj.getAttributeValue('sAMAccountName');
			System.log("Found AD object with name: " + userName);	
			if (ldapClientObj != null){
return userName;

The power of ldapClient is that you can search AD object on any attribute it has.

You can also search for different kind of objects in AD by modifying objectClass item like this:

//Find AD Group by gid
var entryObj = ldapClientObj.searchForEntry(LDAP_DN, LdapSearchScope.SUB, 0, "(&(objectClass=group)(gidNumber=" + gid + "))", ATTRIBS);
//if found get attributes
var samAccountName = entryObj.getAttributeValue('sAMAccountName');
var gid = entryObj.getAttributeValue('gidNumber');

//Find AD User by uid
var entryObj = ldapClientObj.searchForEntry(LDAP_DN, LdapSearchScope.SUB, 0, "(&(objectClass=user)(uidNumber=" + uid + "))", ATTRIBS);
//if found get attributes
var samAccountName = entryObj.getAttributeValue('sAMAccountName');
var uid = entryObj.getAttributeValue('uidNumber');