Get additional LDAP/AD user attributes

(Nic Hubbard) #1

Matrix Version:

We have a page on our website that we only allow users to view if they have logged in. For authentication we are using the LDAP Bridge and we are using Active Directory.

Our AD admin tells use that there is extra attributes in AD that contain their student ID. We want to expose that student ID on the logged in page.

Is it possible to have Matrix show other AD attributes as keywords?

(Nic Hubbard) #2

Looks like using the LDAP Data Source might be the key here? Any tips on what filter query to use? I basically want to query to just find one user by username.

(Marcus Fong) #3

One thing to note here, Nic… if you need to use a particular LDAP user attribute, the LDAP bridge’s bind user must have that attribute applied to it, and that attribute can’t be empty on the bind user either.

(Nic Hubbard) #4

Thanks, this is very good to know. One thing, our LDAP admin said to try (samaccountname=nnhubbard) for my search filter, but noting comes up in Matrix where as it does for him just doing a LDAP search.

Would the different be here the context of our LDAP Bridge?

(Marcus Fong) #5

I’m not sure what search filter you mean here, Nic. If you want to output an LDAP attribute of the current user, as far as I know you should just use this keyword:

You must have ticked “Display” for that attribute in the LDAP User Setup screen of the bridge, though:

That’s where the bind user’s attributes come in - the LDAP User Setup screen only shows the non-empty attributes of the bind user, so if the bind user doesn’t have the attribute you want it can’t be displayed and you can’t use the keyword.

(Nic Hubbard) #6

I was using the LDAP Data Source asset.

(Marcus Fong) #7

Oh, I see.

I don’t think you should need any LDAP data source assets to show the current user’s attributes. Just use the %globals_user_attribute_<attribute>% keyword I linked above.

(Nic Hubbard) #8

I had our LDAP admin check, and our bind user has many many attributes, all of which do not show up in the LDAP Bridge under “LDAP User Setup”.

Any ideas why this would be? We are stumped.

(Marcus Fong) #9

Are the attributes populated with values? I recall from an earlier thread that the LDAP User Setup screen didn’t show attributes with no value set.

(Nic Hubbard) #10

Yes, they are populated with values.

(Robin Shi) #11

the service credential must have some value in the field, we put ‘x’ in each.

(Nic Hubbard) #12

What do you mean by service credential?

(Robin Shi) #13

the one authenticate matrix to connect to LDAP, the bind DN.

(Nic Hubbard) #14

Are you saying our Bind DN user should have a “service credential” attribute? Our LDAP admin said it doesn’t have this.

(Robin Shi) #15

Sorry for not having clarified clear.
For example. If you need to populate the attribute of description, the description field in the Bind DN CANNOT be empty.

(Nic Hubbard) #16

Yes, we have MANY attributes that are not empty, but none of them show up in the LDAP User Setup screen.

(Robin Shi) #17

Humm, this sounds strange. We populate employeeID and studentID etc without any issue. Maybe you start investigation with permission, try login as the bind user to see if the attribute are visible?
Also a question to Squiz if there is a upper limit of the number of the attributes?

(Nic Hubbard) #18

Just an additional note, I am able to get user attributes when using ldapsearch in the shell, but not sure that is helpful to know…

(Nic Hubbard) #19

Squiz, any additional help here?

(A Maskell) #20

Hi Nic, what was the solution for this in the end?