Writing to LDAP

(Ryan Archer) #1

I know it's fairly straightforward to read from an LDAP source using the LDAP bridge asset and allow users to login to Squiz Matrix based on the Active Directory (AD) permissions.

 

We currently have a form hosted outside Squiz Matrix environment and I'm fairly sure that it has been written in Visual Basic/ASP.NET - the page itself renders out in HTML format in the browser of course.

 

It is used to login to memberships, allow visitors to register and also for members to change/edit their details in the LDAP. The common theme here is that it allows users to make changes to their profile within LDAP.

 

All I can see the LDAP bridge do now is a read only "GET" action but no "POST" action - hence why I think the form was originally created outside of the Squiz Matrix environment (the form was created before I was around).

 

I have been tasked with bringing the ASP.NET forms into the Squiz Matrix environment and I am wondering if it can be done. I gather there is not currently an asset that can do it. I assume it was created outside of Squiz Matrix for a reason and perhaps I should make a remote content asset and scrape the page into Squiz Matrix?

 

Has anyone got any experience with writing to LDAP from Squiz? I know HTML/CSS/JS/PHP - but I am not familiar with C# or Visual Basic.

(Ryan Archer) #2

Not sure if this roadmap entry has anything to do with it, but I thought I would include it here, https://squizmap.squiz.net/matrix/8397

(Aleks Bochniak) #3

Can you use the remote content asset to tunnel the asp page ?

(Marcus Fong) #4

I assume it was created outside of Squiz Matrix for a reason and perhaps I should make a remote content asset and scrape the page into Squiz Matrix?

 

It's hard to say how well Remote Content would work - I assume that form requires authentication. Matrix Remote Content can do HTTP authentication, but if you need to pass through the user's own username and password then I don't think you can do that. Also, if the form requires Windows native authentication I don't think that's supported either; last I checked, Matrix can only do HTTP Basic authentication.

 

If you're happy to keep the form running where it is - which you would have to, in order to use Remote Content - then you might be better off just linking to it, or proxying at the webserver level (Apache/Nginx) instead.

 

Has anyone got any experience with writing to LDAP from Squiz? I know HTML/CSS/JS/PHP - but I am not familiar with C# or Visual Basic.

 

As regards writing to LDAP, I've never heard of it being attempted at Squiz - I'd normally expect any such idea to be flatly vetoed by the client's IT department on security policy grounds.

 

Not sure if this roadmap entry has anything to do with it, but I thought I would include it here, https://squizmap.squiz.net/matrix/8397

 

Unfortunately, that Squizmap entry has nothing to do with writing to LDAP.

 

The scenario it refers to is where the LDAP administrators have decided to reorganise their tree and (using their normal administration tools) have moved their LDAP users and/or groups to a new tree location. Because this changes the user and group DNs, this breaks all Matrix references to those users and groups, such as:

  • which user created, last modified or last published an asset;
  • any links created for the LDAP users or groups in the Matrix asset tree (e.g. linking an LDAP user under a Matrix group);
  • any permissions directly granted to the LDAP users or groups.

The script ldap_change_dn.php updates those references in Matrix so that they will continue to work - you give it the old DN (where the LDAP users and/or groups used to be located) and the new DN (where they were moved to) and it does a search and replace. That saves an enormous amount of manual work (re-linking everything and redoing all the permissions).

 

The Squizmap entry was asking for a way to perform the same operation from the Matrix administration interface, rather than having to run the script from the server's command line.

 

If you're absolutely sure you need to do this natively in Matrix, then you'd probably want to contact your Squiz account manager and have a discussion about requirements, options and costs.