Loading...
 

LDAP / Active directory


LDAP Tracker Field: How does it work?

United States

My installation of Tiki (8.4 production, 9.0 dev currently) is working great with LDAP authentication against Active Directory. It syncs security groups with user groups, pulls Real Name and email information, and all that stuff. I love it! What I'd really like though is for more of the LDAP user information to be available in Tiki via the User Registration tracker.

I was excited when I found that someone (Marc Laporte, perhaps?) created an LDAP field type for tracker. Unfortunately, it is one of Tiki's many woefully undocumented or under-documented features.

From "http://doc.tiki.org/LDAP%20Tracker%20Field":
"Display a field value from a specific user in LDAP". Great. This documentation page also provides a link to the PHP file from the trunk source, or something. Yeah, I already looked at that file from my local installation.

I have spent hours trying to find a shred of information about this on the web. I've found NOTHING. No examples, no references to it anywhere in IRC logs or forums or anything. Has anybody ever implemented this field type anywhere?

I know that this field uses a registered Data Source Name (just finding how to access this admin panel in recent versions of Tiki requires digging around in folders on the server), but since this syntax differs so drastically from the regular LDAP config pages, I'm lost.

Is this field type just an abandoned feature that never worked in the first place, or could it actually be configured to function and pull extra user data out of Active Directory? If anyone can offer me some help on this, or at least tell me to stop wasting my time, I'd greatly appreciate it! Thanks.

United States

The way I read this:

The filter field is an LDAP filter that will return the data from LDAP e.g.

(&(mail=%field_name%)(objectclass=person))

The field_name is the tracker field that is the key to the query. if the tracker has a field called username, you could put that here and the username would be passed to the filter above in the variable
%username%


The DSN is still lost on me. I get the idea, but I don't know where to configure it yet. Sorry

\\Greg


Looking for more data on this also.

Using lib/ldap/ldaplib.php as an example, I have created the following test script:

require_once ('lib/adodb/adodb.inc.php');

$user = 'aduser';
$dsn = 'ldap://ldap-user:ldap-password@ldap.contoso.com/ou=Domain Users,DC=contoso,DC=com';
$filter = "(|(CN=$user*)(sn=$user*)(givenname=$user*)(uid=$user*))";
$field = 'sn';

// Try to connect
$ldaplink = ADONewConnection($dsn);
$return = null;

if (!$ldaplink)
{
  // Wrong DSN
  $return = "BAD DSN";
}

$ldaplink->SetFetchMode(ADODB_FETCH_ASSOC);
$rs = $ldaplink->Execute($filter);

if ($rs)
{
  while ($arr = $rs->FetchRow())
  {
    if (isset($arr[$field]))
    {
      $return = $arr[$field];
      break;
    }
  }
}

$ldaplink->Close();

echo "VALUE: [" . $return . "]";


The script runs (on Tiki server) as expected, returning the users last name.

DSN has been created in Tiki to match LDAP DSN above.
Created tracker with LDAP field and set 'Filter' and 'Field' as above.

Not sure on the syntax used to replace '$user' with the user field from the tracker but correct value is not displayed even if the user id is hardcoded into the Filter.

LDAP authentication is enabled and works correctly.

Currently running Tiki 10.2


United States

Well, it only took me a year and a half, but I finally figured out how this works. Thanks to both gmartin and ljeanette for their feedback. Here's what I did to get it to work.

One of the things I think I was forgetting in my testing was that my LDAP is Active Directory, and it is configured to require a BIND using valid credentials in order to return any information. No bind, no response. In most of my testing, I was assuming that anonymous queries would work, but that's not true in my environment. I created a service account and embedded that in the DSN as ljeanette shows in her example. It worked in her script (as modified for my environment), but it didn't work in my tracker.

Then I went back to gmartin's explanation of the LDAP filters. I was trying a couple of different things that weren't working, and when I used the right %Field_Name% using the given name in that tracker (rather than the global fieldID) it pulled the field data from LDAP and displayed it in the tracker. I almost fell out of my chair.

This is the syntax for the LDAP field in the tracker:

LDAP field
Filter: (|(mail=%Email%*))
Field: displayName

This took the email address entered in a field named "Email" in the same tracker and pulled the "displayName" attribute out of LDAP.

I am so amazed that this actually works, and that it was so incredibly difficult to figure out.

Update: I have written the documentation for https://doc.tiki.org/LDAP+Tracker+Field so that it is no longer just a useless stub.


United States

Great news - thanks for persevering.

One note - It appears to me your LDAP filter is unnecessarily complex. The simpler versions would drop the OR clause and simply use:

(mail=%Email%*)


Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.