home	education	contact	library	calendar	search
	about us	research	people	archive	services	jobs

LDAP.UU.NL updates

intro

Utrecht University uses an LDAP server to implement directory services, among others Solis Ugids.

You can update the LDAP database with standard tools. This is subject to rules and regulations.
A short description is available. Please contact Kees van Eijden (ICT-UU) for permission and details.

General points :

• It is advisable to request a new admin account ; if anything goes wrong, the problems are easier to trace in the logs.

• To reduce the load on the server, always make your programs do a minimal number of update requests.
  Only replace attributes that aren't already there ; only update dirty records.

• Stick to the prescribed formats ; assume the LDAP database doesn't check any input. When in doubt, check with Van Eijden.

Comments, updates and additions (in HTML) are most welcome.

Perl interface

References : ldap.perl.org    Net::LDAP

Here is how we do it in Perl:

  # use the standard Perl LDAP module

  use Net::LDAP ;

  # use an admin solis_id and password to update stuff

  my $admin_id = '........' ;
  my $admin_pw = '........' ;
  my $admin_dn = "uid=$admin_id\@soliscom.uu.nl,ou=Administrators,o=uu" ;

  # prepare to bind to the LDAP server

  my $ldap = Net::LDAP -> new ( "ldap.uu.nl" ) or die "$@";

  # bind to the server

  my $mesg = $ldap -> bind ( $admin_dn, password => $admin_pw ) ;

  if ( $mesg -> code )
    { die "Failed to bind: " . $mesg->error ; }

  my $attrs =
    [ qw( cn initials uuPrefix sn personalTitle mail telephoneNumber
          roomNumber buildingName labeledUri postalAddress uuEmployer
          uid employeeType uuAccessControl uid ObjectClass userClass
          physicalDeliveryOfficeName facsimileTelephoneNumber
          uuOtherTelephoneNumber jpegPhoto
        )
    ] ;

  # assume we have the solis_id of the record we want to update

  my $solis_id = '......' ;
  my $dn = "uid=$solis_id\@soliscom.uu.nl" ;

  # get the record and check results

  $mesg = $ldap -> search
    ( base   => 'ou=medewerkers,o=uu'
    , scope  => 'one'
    , filter => "($dn)"
    , attrs  => $attrs
    ) ;

  if ( $mesg -> code )
    { die "Search failed: " . $mesg -> error ; }

  die "nothing found for $dn" unless $mesg -> count ;
  die "multiples found for $dn" if $mesg -> count > 1 ;

  # found one record ; copy

  my $record = $mesg -> entry ( 0 ) ;

  # horse around with the record

  my $value -> $record -> get_value ( $key ) ;

  # add new attributes

  $record -> add ( $key, $new_val ) ;

  # more often you will insert/update attributes

  $record -> replace ( $key, $new_val ) ;

  # when finished, update the record and check results

  my $res = $record -> update ( $ldap ) ;
  die $res -> error () if $res -> code () ;

  # when done with LDAP, unbind

  $ldap -> unbind ;

notes

1. The jpegPhoto attribute contains just the raw bits.

       my $JPG = '/path/to/user.jpg' ;
   
       # get the bits
   
       open JPG, $JPG or die "can't read $JPG ($!)" ;
       my $jpg = join '', <JPG> ;
       close JPG ;
   
       # store
   
       $record -> replace ( 'jpegPhoto', $jpg ) ; }
     

2. Records for new employees of our institute have no uuEmployer attribute.
   To make someone a department member, we have to do this :

        my $key = 'uuEmployer' ;
        my $DN_ICS = 'ou=Instituut voor Informatica en Informatiekunde,'
          . 'ou=Faculteit Wiskunde en Informatica,ou=Faculteiten,o=uu' ;
   
        # add unless already there
   
        $record -> add ( $key, $DN_ICS )
          unless grep $_ eq $DN_ICS, $record -> get_value ( $key ) ;
     

   Note that you want add instead of replace here, because uuEmployer is a multi-valued attribute.

   The added uuEmployer should be immediately visible in a person's solis Ugids page. Currently the uuEmployer updates are not immediately reflected in the corresponding solis Ugids medewerkers-lijst. These lists are updated only once a day.