DokuWiki

It's better when it's simple

User Tools

Site Tools


plugin:ldapsearch

LDAP Search Plugin

Compatible with DokuWiki

2006-11-06

plugin Allows you to search LDAP directories for values (like telephone numbers) from within your page.

Last updated on
2017-03-01
Provides
Syntax
Repository
Source

Tagged with authentication, search

Download and Installation

Download and install the plugin using the Plugin Manager. Refer to Plugins on how to install plugins manually.

Changelog

  • 2009-04-11 : Added configuration and thereby a simpler way of doing searches
  • 2009-06-01 : Allowed quoted params, so you can use searches with spaces.
  • 2017-03-01 : Applied fixes from user-comments, German language, new Download-URL and GitHub repository

Syntax

All Versions

Its pretty simple to do a standalone LDAP call. The syntax is as follows

[ldapsearch <ldapurl>]

The regex for ldapurl matches on, but it conforms the LDAP URL standards out there (I think)

ldap:\/\/([\w\.-_]+):([0-9]+)\/([^\?]*)\?([^\?]*)\?(base|one|sub)\?([^\]]+)

For example :

[ldapsearch ldap://ldapserver.baselineit.net:389/ou=AddressBook,dc=baselineit,dc=net?telephoneNumber,mail,homephone?sub?(givenName=a*)]

2009-04-11 and above

You can now setup named searches in the config section. To setup this up go to the config section and setup the following criteria name, host, port, basedn, binddn, bindpassword, scope, attributes and whether the user can override these settings.

if you setup a named search as BASELINEIT, your local.conf would look something like this

$conf['plugin']['ldapsearch']['name'] = 'BASELINEIT';
$conf['plugin']['ldapsearch']['hostname'] = 'localhost';
$conf['plugin']['ldapsearch']['port'] = '389';
$conf['plugin']['ldapsearch']['basedn'] = 'ou=AddressBook,dc=baselineit,dc=net';
$conf['plugin']['ldapsearch']['attributes'] = 'telephoneNumber';
$conf['plugin']['ldapsearch']['scope'] = 'one';
$conf['plugin']['ldapsearch']['allow_overrides'] = 1;

Then in your code,

[ldapsearch search=BASELINEIT filter=(&(givenName=Joe)(sn=Bloggs)) attributes=mail]

Post 2009-06-01, the following also works

[ldapsearch search="BASELINEIT" filter="(&(givenName=Joe)(sn=Bloggs))" attributes="mail"]

That would return you Joe Bloggs' mail address (overriding the config param attributes=telephoneNumber). The following can be specified as parameters

  • search COMPULSORY
  • filter COMPULSORY
  • attributes optional will use config settings if not specified and allow_override is set
  • host optional will use config settings if not specified and allow_override is set
  • port optional will use config settings if not specified and allow_override is set
  • basedn optional will use config settings if not specified and allow_override is set
  • binddn optional will use config settings if not specified and allow_override is set
  • bindpassword optional will use config settings if not specified and allow_override is set
  • scope optional will use config settings if not specified and allow_override is set

Now as you can clearly see, there is a massive potential security threat here. If you setup your LDAP access with the supervisor binddn and password (then you're an idiot) and then set allow_override, a person can poke around your entire LDAP db as root by overriding basedn, scope and other bits, so be wary of that.

In addition to this, you can specify multiple searchable LDAP services by doing the following

$conf['plugin']['ldapsearch']['name'] = 'BASELINEIT|anotherone';
$conf['plugin']['ldapsearch']['hostname'] = 'localhost|somewhere.else.com';
$conf['plugin']['ldapsearch']['port'] = '389|389';
$conf['plugin']['ldapsearch']['basedn'] = 'ou=AddressBook,dc=baselineit,dc=net|ou=AddressBook,dc=somewhere,dc=else,dc=com';
$conf['plugin']['ldapsearch']['attributes'] = 'telephoneNumber|';
$conf['plugin']['ldapsearch']['scope'] = 'one|sub';
$conf['plugin']['ldapsearch']['allow_overrides'] = 1;

Which is called anotherone and will search the LDAP services at somewhere.else.com:389 subtree of ou=AddressBook,dc=somewhere,dc=else,dc=com and the attribute isn't set, which means you will need to set it in the page.

LDAP mappings

  • Name : cn
  • First Name : givenName
  • Last Name : sn
  • Email : mail
  • Second Email : mozillaSecondEmail
  • Home Phone : homephone
  • Work Phone : telephonenumber
  • Mobile Phone : mobile
  • Title : title
  • Company : o
  • Work Street Address : street
  • Work City : l
  • Work State/Province : st
  • Work Postal Code : postalCode
  • Work Country : c
  • Fax : Fax

Discussion

plugin/ldapsearch.txt · Last modified: 2017-03-01 17:20 by og