Discussion forum for the LdapNgPlugin

-- MichaelDaum - 19 Jul 2006

Thanks Micha for sharing this Plugin with the TWikiCommunity!

Some feedback:

• What does the Ng in the Plugin name stand for? Possibly use a descriptive LdapQueryPlugin name instead?
• What is the reason to create a new Plugin, e.g. not extend the existing LdapPlugin?
• Is the LdapPlugin now obsolete?
• Installation instructions:
  • Mention to enable Plugin in configure to avoid the "gotcha"
• Plugin Info table:
  • How about measuring and documenting the PluginBenchmarks numbers?
  • Instead of Interwiki link, it might be better to use the full URL for the "Plugin Home" and "Feedback" links (visible when viewed and printed)
  • Add the Appraisal link

-- PeterThoeny - 19 Jul 2006

Yea, the plugin name is - let's say - rather adhoc (Ng = next generation). LdapQueryPlugin is ok. The reason for creating a new ldap plugin instead of modifying the LdapPlugin was that it was less effort. There were too many issues imho with the implementation of LdapPlugin. Time pressure was another issue as things were done for a client that needed a consistent suite. We now have two ldap plugins, I can't help it. Chosing one or the other depends on wether you already have the LdapContrib or not. Benchmarking the plugin would be nice but I have no time/money to do it. I use interwiki links in all of my plugins because that shortens urls. The "print" argument holds for all interwiki links though nobody complained so far and I doubt someone would. I will add the configure notion as well as th appraisal link. Thanks.

-- MichaelDaum - 20 Jul 2006

I note I get strange events. When it's time to to send out the notifications, it's just does this:

2006-08-16 20:46:04 cwd=XXXXXX 4 args: /usr/sbin/sendmail -t -oi -oeq
2006-08-16 20:46:04 XXXX "XXXX@XXXX" from env-from rewritten as "XXXX@XXXX" by rule 2
2006-08-16 20:46:07 cwd=XXXX 4 args: /usr/sbin/sendmail -t -oi -oeq
2006-08-16 20:46:08 XXXX "XXXX@XXXX" from env-from rewritten as "XXXX@XXXX" by rule 2
2006-08-16 20:46:12 cwd=XXXX 4 args: /usr/sbin/sendmail -t -oi -oeq
2006-08-16 20:46:13 XXXX "XXXX@XXXX" from env-from rewritten as "XXXX@XXXX" by rule 2

but doesn't actually send the e-mails. This ever since I installed this plugin.

-- EricCote - 16 Aug 2006

Thank Michael for that great plugin.
Can anybody tell me how to use search-filters with special characters, like german sn=Müller? On command-line ldap-clients, this filer has to be utf-8-encoded. What about the results? I retrieve the the utf-8 encoded "Müller". How can it be decoded?
I use {Site}{CharSet} = iso-8859-15 on my TWiki-configure. (TWiki yet doesn't support UTF-8 in the topics, isn't it?)
Thanks.

-- AlexanderScholler - 28 Aug 2006

Hi Alexander. Have a look at the latest LdapContrib and LdapNgPlugin. They now map the site's charset to utf8 and vice versa before accessing the LDAP server.

-- MichaelDaum - 18 Dec 2006

Thanks for the plugin Michael, it's been valuable for us.

I noticed a bug in the plugin. We have data fields in our LDAP repository that begin with the 'n' character (e.g. $name). Your plugin confuses them with line breaks ($n) which breaks the search clauses. I don't know enough Perl to contribute a patch for this but this is a problem other users can very well run into.

-- HarriLakkala - 02 Feb 2007

Harri: I have not looked at the code, but if you find something line this: s/\$n/\n/g, replace it with a zero-width negative lookahead, testing for non-alphanum characters: s/\$n(?![a-zA-Z0-9])/\n/g

-- PeterThoeny - 03 Feb 2007

What should I do if our corporate LDAP has multiple values for things like $cn and $mail? Is there someway to only display one of them? The first one, or the last one, or one matching some regex?

For instance, instead of using $cn in the format, what about $cn[0] or $cn['someRegex'] ?

-- DustinGooding - 08 Mar 2007

That's a cool idea.

-- MichaelDaum - 09 Mar 2007

I've tried playing with the SpreadSheetPlugin (using $percnt instead of %) inside the format string with options like LISTITEM and SEARCH but I can't find a reliable way to choose the correct entry in the list.

For example... each LDAP entry has three mail values. One current, one old, and one location specific (though the "current" one is the address folks should be using). Thus, $mail gives the following (in alphabetical order for each person, so it's always different):

first.m.last1@location.example.com, flast@old.example.com, first.m.last@example.com

How do I only display the

@example.com

-- DustinGooding - 12 Mar 2007

I apologize for thinking out loud. I figured out the above issue. Fairly simple...

$percntCALC{$LISTIF($SEARCH(@example.com, $item), $mail)}$percnt

-- DustinGooding - 12 Mar 2007

Any luck with the $cn issue? (our Ldap also uses it for different fields)

-- JosMaccabiani - 26 May 2007

Michael, how would I get the output from this plugin and stuff the results into variables? For instance, I search for a single UID and I want the sn and cn results stuffed into vars SN and CN, respectively. I tried a formatted SET and even CALC but neither seems to work and a search of SEARCH questions doesn't seem to cover something like this.

Thanks

-- SteveRJones - 18 Sep 2007

Answered on IRC

-- MichaelDaum - 21 Sep 2007

Would it be possible for you to provide LDAPGROUPNAMES and LDAPGROUPMEMBERS to give the results of LdapContrib's getGroupNames and getGroupMembers? Thanks.

-- CharlieReitsma - 22 Mar 2008

I looks like exclude can only work if you've only given it one single WikiName. Is that correct? If I try to give it a comma-separated list, as with many other parameters on TWiki, it ignores all of them. Is there another way to have it exclude a list of WikiNames?

-- DavidWolfe - 13 May 2008

Am I correct that %LDAPUSERS% can display $wikiName, but %LDAP% cannot? There seems to be some disparity between what is available in each of the calls. For example, %LDAP% can also get our Instant Message information from $apple-imhandle, while %LDAPUSERS% doesn't seem to be able to. I understand that the point of %LDAPUSERS% is to display a list of users. While %LDAP% seems to be intended to get individual information about a given record, I can use it to get the same list of users. The problem is that I can't get the same information all together in a single list. Am I missing something?

-- DavidWolfe - 13 May 2008

What would it take to be able to also override per query the BindDN and BindPasswd? We have two directories and it would be very nice to be able to query info from both in the same twiki server. Our IT dept operates and supports both directories, AD and eDirectory. It looks like it could work if one of them did not need the binding part but I dont think that's an option.

-- LarsEik - 12 Sep 2008

Would you like to mix the %LDAP query results from two servers, or do you want to mix the users and groups from two independent authorities? The cleanest way would be to set up a proxy directory for both, cleaner conceptionally and in terms of performance.

-- MichaelDaum - 15 Sep 2008

We only need authentication from one directory but for managing info it would be great to be able to query the two directories separately, not in the same query.

-- LarsEik - 15 Sep 2008

OIC. How would you specify the BindPasswd without making it readable online?

-- MichaelDaum - 15 Sep 2008

It don't think it would be a big problem if it was set in the topic (maybe the topic preferences) and with topic permissions it should be possible to restrict viewing the topic source, right? It is a in-house network. Also I think the bind user don't need very much permissions in the directory either. Anyway I see that it is not a perfect solution.

The best would maybe be if LdapContrib used a config like the DatabasePlugin, then it would be easier to make several connections to multiple directories. But that might have other issues to resolve. I don't know much Perl and stuff. I guess which binding would be authentication would be one issue.

-- LarsEik - 15 Sep 2008

Ah good hint. Will have a look at DatabasePlugin. Did you see that the current %LDAP can very well connect a different directory, if it allows an anonymous bind?

-- MichaelDaum - 16 Sep 2008

Yes, but we must use bind on AD. But I shall check if eDirectory allows anonymous binding.

-- LarsEik - 16 Sep 2008

I am trying to find a way by which I could also modify the LDAP values right from TWiki. I have also opened up a support question under the topic ModifyLDAPAttribute, UsingPersonalInfoAddOn, but wanted to check if I can get any help from this thread. I have PersonalInfoAddOn and LdapNgPlugin along with the NewUserPlugin installed and working fine. Is there any way I could modify the LDAP values through TWiki ?

-- VirendraSingh - 08 Jan 2009

No response so far. Any help ?

-- VirendraSingh - 21 Jan 2009

Virendra: if you do not get a timely answer I suggest to hire one of the TWikiConsultants.

For those using this plugin to pull values from LDAP for display in user form fields: You can put LDAP queries in form fields so that you have one system of records. For example, the query for the "Department" field for user "jsmith" looks like this: %LDAP{ "(uid=jsmith)" format="$ou" }%.

-- PeterThoeny - 01 Feb 2009

I'm looking to pull out information line Job Title, Telephone Number, and Address with this plugin (I am using a Windows AD as the LDAP server) how can this be accomplished? I have tried the attributes $address, $telephone-number (the MS format for that attribute) and $job-title. This does not seem to be working.

-- Billy Bryant - 2014-01-06