Geek Answers Handbook

How can I get ALL LDAP entries?

I know how to bind LDAP for authentication that uses search, but what can I do if I want ALL full name entries ... So how can I get the full names or emails of ALL people?

Below I use the LDAP binding for authentication, and I can search for one person, but what if I want them all?

<?php // using ldap bind $ldaprdn = 'uname'; // ldap rdn or dn $ldappass = 'password'; // associated password // connect to ldap server $ldapconn = ldap_connect("ldap.example.com") or die("Could not connect to LDAP server."); if ($ldapconn) { // binding to ldap server $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass); // verify binding if ($ldapbind) { echo "LDAP bind successful..."; } else { echo "LDAP bind failed..."; } } ?>

This is some MySQL code that I have that populates the html list:

 <ol> <?php mysql_connect("kool", "ohjoa", "sampa") or die(mysql_error()); mysql_select_db("DBtest") or die(mysql_error()); $query = "SELECT * FROM EditOnCall"; $result = mysql_query($query) or die(mysql_error()); while($row = mysql_fetch_array($result)){ echo "<li>".$row['Email']."</li>"; echo "<br />"; } ?> </ol>

Now the html list of letters is displayed. What I want to do is the same with LDAP, except for displaying the full name of all ldap users in the directory ... MY LDAP has only 200 people, so it is not too big.

Any ideas?

+4
source share
2 answers

Binding is one type of LDAP query, and search is another type of query. The bind sets the authentication status of the connection, and the search uses the base object, scope, filter, and other optional parameters to create a list of candidates that are filtered and returned to the LDAP client. Connection authentication status also sets certain access options, for example, which records can be retrieved, how many records can be retrieved during a search, how much time is spent searching, how many records should be checked during a search query and other features. Without using the root DN, it may not be possible to retrieve all entries in the directory, and your LDAP administrator may prevent other non-root authentication sources from receiving more than a few entries. For more information about searching, see " LDAP: Using ldapsearch ". For more information on programming with LDAP, see LDAP: Programming Practices . See the LDAP Search Best Practices Guidelines for more information.

As for filters, an asterisk is not a wildcard in the sense of (cn=*) . This is called a presence filter and indicates whether the attribute used in the statement is present - in this case cn - in the record when filtering the candidate list. An asterisk can be used as part of a subscript filter, for example, (cn=abc*) or ( mail=user@example *) .

In any case, tweak filters should be avoided, if possible, in large directories, probably the same as "trawling" a directory.

+7
source

It is not about how you link, about how you perform a search. You need to know about LDAP filters (this link applies to AD, but all the information in it can be applied to any LDAP node).

You can use * as a template in an LDAP filter. Suppose you wanted to get all objectClass=User objects that are identified by the cn attribute from the root container named cn=Users - you would do this:

 $searchResult = ldap_search($ldapconn,'cn=Users','(&(objectClass=User)(cn=*))',array('cn','guid'));

The only way that the binding method can affect this principle is that the user you use to bind does not have access rights to the objects you are looking for in the directory.

If you show some more code of exactly what you are trying to do, I will edit this answer in more detail.

+4
source

More articles:


All Articles