Get additional LDAP/AD user attributes

nnhubbard · 2017-02-21 05:52:17 UTC

Thanks, this is very good to know. One thing, our LDAP admin said to try (samaccountname=nnhubbard) for my search filter, but noting comes up in Matrix where as it does for him just doing a LDAP search.

Would the different be here the context of our LDAP Bridge?

mfong · 2017-02-21 08:12:13 UTC

I’m not sure what search filter you mean here, Nic. If you want to output an LDAP attribute of the current user, as far as I know you should just use this keyword:

https://matrix.squiz.net/manuals/ldap/chapters/ldap-users#Keyword-Replacement-for-LDAP-Users

You must have ticked “Display” for that attribute in the LDAP User Setup screen of the bridge, though:

https://matrix.squiz.net/manuals/ldap/chapters/ldap-user-setup-screen

That’s where the bind user’s attributes come in - the LDAP User Setup screen only shows the non-empty attributes of the bind user, so if the bind user doesn’t have the attribute you want it can’t be displayed and you can’t use the keyword.

nnhubbard · 2017-02-21 08:14:13 UTC

I was using the LDAP Data Source asset.

mfong · 2017-02-21 08:15:33 UTC

Oh, I see.

I don’t think you should need any LDAP data source assets to show the current user’s attributes. Just use the %globals_user_attribute_<attribute>% keyword I linked above.

nnhubbard · 2017-02-21 22:41:14 UTC

I had our LDAP admin check, and our bind user has many many attributes, all of which do not show up in the LDAP Bridge under “LDAP User Setup”.

Any ideas why this would be? We are stumped.

mfong · 2017-02-21 23:15:04 UTC

Are the attributes populated with values? I recall from an earlier thread that the LDAP User Setup screen didn’t show attributes with no value set.

nnhubbard · 2017-02-21 23:15:52 UTC

Yes, they are populated with values.

robin_shi · 2017-02-22 00:22:59 UTC

the service credential must have some value in the field, we put ‘x’ in each.

nnhubbard · 2017-02-22 00:27:08 UTC

What do you mean by service credential?

robin_shi · 2017-02-22 00:43:53 UTC

the one authenticate matrix to connect to LDAP, the bind DN.

nnhubbard · 2017-02-22 01:02:42 UTC

Are you saying our Bind DN user should have a “service credential” attribute? Our LDAP admin said it doesn’t have this.

robin_shi · 2017-02-22 03:08:37 UTC

Sorry for not having clarified clear.
For example. If you need to populate the attribute of description, the description field in the Bind DN CANNOT be empty.

nnhubbard · 2017-02-22 04:32:18 UTC

Yes, we have MANY attributes that are not empty, but none of them show up in the LDAP User Setup screen.

robin_shi · 2017-02-22 04:52:05 UTC

Humm, this sounds strange. We populate employeeID and studentID etc without any issue. Maybe you start investigation with permission, try login as the bind user to see if the attribute are visible?
Also a question to Squiz if there is a upper limit of the number of the attributes?

nnhubbard · 2017-02-22 17:43:52 UTC

Just an additional note, I am able to get user attributes when using ldapsearch in the shell, but not sure that is helpful to know…

nnhubbard · 2017-02-24 15:51:52 UTC

Squiz, any additional help here?

amaskell · 2019-08-27 05:40:48 UTC

Hi Nic, what was the solution for this in the end?

nnhubbard · 2019-08-27 14:59:35 UTC

We never found a solution.

amaskell · 2019-08-27 22:38:06 UTC

Thanks for reply…that kind of gets in the way then…did you get a workaround or moved on?

We are on 5.4.3.0 and were looking at the same kind of need for staff ID or student ID fields for data matching purposes.

nnhubbard · 2019-08-27 22:50:46 UTC

We just moved on and never implemented it.