LDAP / Active directory

External groups by LDAP distinguishedName in Tiki 19?

Developer Xorti has recently made some changes to the LDAP code in the trunk in commit R66965. He has replaced the Pear library with the Zend library. It's great that someone is working on this very old code! I trust this new LDAP implementation is a nice improvement!

I have recently asked a developer intern to write a bit of code to do:

  • If the group attribute (Admin settings > Log in > LDAP external groups) is set to 'distinguishedName'
  • Extract all the OU (Organizational Units) of the distinguishedName
  • Make the user member (or create if doesn't exist) of these user groups with the names of the OU's.

So if a user logs in with a distinguishedName:
CN=User Name,OU=Group,OU=Department,OU=Location,DC=Company,DC=local
He will be made part of the groups: Group, Department and Location

Xorti (or another developer), I can imagine this is useful for more organisations and could be made part of this updated code for Tiki 19?

Tiki 18.1 lib\auth\LDAP.php added on row 376 (code can use a bit of cleanup):

if ($this->options['usergroupattr'] === 'distinguishedName') {
				// get membership from user DN
				$this->add_log('ldap', 'LDAP CUSTOMIZED: usergroupattr is indeed distinguishedName');
				// split DN into RDN strings
				$dn_string = $this->user_attributes[$this->options['usergroupattr']];
				$rdn_strings = explode(',', $dn_string);

				// add value of RDNs with OU type
				$ugi = [];
				foreach ($rdn_strings as $rdn_string) {
					// split RDN string in type and value
					$rdn_parts = explode('=', $rdn_string, 2);
					$rdn_type = $rdn_parts[0];
					$rdn_value = $rdn_parts[1];
					// add RDN value if type is OU
					if ($rdn_type === 'OU') {
						$ugi[] = $rdn_value;
						$this->add_log('ldap', 'LDAP CUSTOMIZED: added ' . $rdn_value . ' to ugi');
			} else {
				$ugi = &$this->user_attributes[$this->options['usergroupattr']];

Hi Marc, thanks for pointing this out.

Xorti, you are the best! Excellent!

Why Register?

Register at tiki.org and you'll be able to use the account at any *.tiki.org site, thanks to the InterTiki feature. A valid email address is required to receive site notifications and occasional newsletters. You can opt out of these items at any time.