Tags:
create new tag
, view all tags

PersonalInfoAddOn modifications for use with Ldap authentication

In this topic, I'll document how I modified the PersonalInfo topic in a way that is useful for installations where the user data management is done in an Ldap database and TWiki users are authenticated against this Ldap database.

Assumptions:

  • The LdapContrib is installed and working
  • The LdapNgPlugin is installed and working
  • The NewUserPlugin is installed and working
  • You don't want to store any user information in TWiki, since it might get outdated (the Ldap database always has the most recent info)

TWiki.NewUserTemplate

When the user homepage is created, it is important that a TWiki Variable is set which holds a key (or uid) that identifies the user in the Ldap database. Without it, it is impossible to query the database for user information later. So I added these lines to my TWiki.NewUserTemplate:
<!-- WARNING: DO NOT REMOVE THIS NEXT LINE !!
   * Set MYLDAPWIKIUSER = %USERNAME%
-->

%MYLDAPWIKIUSER% holds the user's uid. This variable can be set when the user home topic is created. For this to work, it is important that NewUserPlugin handles the creation of the user homepage, as it will do this after the user has logged in and we will then be certain that %MYLDAPWIKIUSER% variable is set to the correct value.

PersonalInfo modifications

Here are the modifications I made to the PersonalInfo topic:

personalInfoFields

Change any fields for which you want to show Ldap data. You can leave other field for regular TWiki form-based editing and storing. The example below gets the Work phone number and the e-mail address from the Ldap server. Please note:
  • "organizationalPerson", "People", "$telephoneNumber" and "$mail" are characteristics of our Ldap, they might be named differently (or not exist at all) in your Ldap

%STARTSECTION{"personalInfoFields"}%<table cellspacing='0' cellpadding='0'>
<tr><th> Work phone: </th><td>%LDAP{"(&(objectClass=organizationalPerson) (uid=%MYLDAPWIKIUSER%))" base="(ou=People)" limit="1" format="$telephoneNumber"}% </td></tr>
%INCLUDE{"PersonalInfo" section="personalInfoDataRow" fieldName="WorkPhoneMobile" label="Work phone mobile"}%
<tr><th> E-mail: </th><td>%LDAP{"(&(objectClass=organizationalPerson) (uid=%GEOWIKIUSER%))" base="(ou=People)" limit="1" format="<a href=mailto:$mail>$mail</a>"}% </td></tr>
%INCLUDE{"PersonalInfo" section="personalInfoDataRow" fieldName="WorkLocation" label="Location"}%
</table>%ENDSECTION{"personalInfoFields"}%

phoneListXML

Note that:
  • "organizationalPerson", "People", "$telephoneNumber" and "$mail" are characteristics of our Ldap, they might be named differently (or not exist at all) in your Ldap
  • "$cn" in our case expands to "FirstName LastName, LoginName". An alternative could be to use "$givenName $sn", if those fields exist in your Ldap

%STARTSECTION{"phoneListXML"}% <?xml version="1.0" encoding="ISO-8859-1"?> <users> %LDAP{"(objectClass=organizationalPerson)" base="(ou=People)" format="<user><name>$cn</name><phone>$telephoneNumber</phone><mail>$mail</mail></user>"}% </users>%ENDSECTION{"phoneListXML"}%

directSearchScript

One small change made here: the link in the results of the phone list were pointing to the user home topic, but are now mailto: links. This is because:
  • this made it into a more generally usable phone list application for us
  • constructing the link to the user home topic from Ldap data is not straightforward, since Dutch names can have words in between the first and last names (e.g.: Jan de Vries, Frans van der Ven)

Existing content:

output += "<td><a href=\u0027%SCRIPTURL{view}%/" + userData[i].topic + "\u0027>" + linkLabel + "</a></td>";

Changed to:

output += "<td> <a href=mailto:" + userData[i].mail + ">" + linkLabel + "</a> </td>";

the userData[i].mail works because of the changes made to the phoneListXML script described above

directSearchData

The changes here are similar to the ones to the phoneListXML script described above
%STARTSECTION{"directSearchData"}%%LDAP{"(objectClass=organizationalPerson)" base="(ou=People)" format="{name:\"$cn\",phone:\"$telephoneNumber\",mail:\"$mail\"}" sep=", "}%%ENDSECTION{"directSearchData"}%

PersonalInfoModules

Since the user's name is not stored in TWiki but in the Ldap server, the form fields "First Name" and "Last Name" do not exist. One line needs to be changed in PersonalInfoModules, in the section:

personalInfo

Look up the lines that read:
%STARTSECTION{"personalInfo"}%%INCLUDE{"PersonalInfo" section="personalInfoStyle"}%<div class="pIparagraphFrame personalInfo">
---+!! %FORMFIELD{"FirstName" topic="%BASETOPIC%"}% %FORMFIELD{"LastName" topic="%BASETOPIC%"}%
%INCLUDE{"LayoutModules" section="paragraphWithImageLeftStyle"}%

Change the middle line to look up the name in your Ldap database, in my case:

%STARTSECTION{"personalInfo"}%%INCLUDE{"PersonalInfo" section="personalInfoStyle"}%<div class="pIparagraphFrame personalInfo">
---+!! %LDAP{"(&(objectClass=organizationalPerson) (uid=%MYLDAPWIKIUSER%))" base="(ou=People)" limit="1" format="$cn"}% 
%INCLUDE{"LayoutModules" section="paragraphWithImageLeftStyle"}%

For an explanation on the %MYLDAPWIKIUSER% variable, see the section persoanlInfoFields at the top of this page.

refreshing the directsearch xml file

With Ldap you don't use the TWiki registration mechanism, and therefore the PersonalInfo topic won't automatically be saved. I've solved this with a cron job. The cron job executes the following script (which you can save in a seperate file, e.g. 'personalinfoupdate'

cd /var/www/html/bin
./save -action_quietsave=1 -topic Main.PersonalInfo

The frequency of running the job depends on how often you expect relevant user data to change. In my small office, I run it once a day at 5:00 am.

Discussion

Please feel free to point out better ways to integrate Ldap with PersonalInfoAddOn or post other suggestions!

-- JosMaccabiani - 01 Jun 2007

One bit of helpful information that I have learned in implementing various Ldap functionality in my site: there are different LDAP schemas out there (i.e. openldap vs Active Directory, etc..). Jos alludes to this concept several times. I have found that many howtos do not acknowledge this fact. Thus, it is important to identify the attribute names in your own LDAP schema. I found one tool immensly useful, to do this: JXplorer

-- BryanEllsaesser - 12 Nov 2007

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2007-11-12 - BryanEllsaesser
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.