PHP LDAP: how to search if a user is in a group?

Question

PHP LDAP: how to search if a user is in a group?

How to check if a user is part of a group using the php_ldap module?

I am completely new to ldap and therefore a bit confused ...

With googling, I came up with this so far:

$ds=ldap_connect($ldapHost, $ldapPort); if ($ds) { $r=ldap_bind($ds, $ldapRdn, $ldapPassword); $filter = "(sAMAccountName=" . $uid . ")"; $attr = array("memberof"); $result = ldap_search($ds, $ldapDN, $filter, $attr) or exit("Unable to search LDAP server");

I am not sure if this is correct since it was taken in a form specific to AD. The problem seems to be equal to $ ldapDN. Is this what I'm looking for right? My definition of groups:

 cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM

How can I do this check?

EDIT:

Here is my solution using the “Accepted Answer” and trial and error. ”I think the answer is highly dependent on your particular system.

 //This is the User group DN $ldapDN = "cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM"; $filter = "(uniqueMember=uid=" . $uid . ",ou=Users,O=MYCOMPANY.COM)"; $attr = array('uniqueMember'); $result = ldap_search($ldapConnection, $ldapDN, $filter, $attr): $entries = ldap_get_entries($ldapConnection, $result); ldap_unbind($ldapConnection); return intval($entries["count"]) > 0;

+7

php ldap

beginner_ Nov 21 '12 at 5:47

source share

1 answer

dearlbry · Accepted Answer · 2012-11-21T08:27:57+0000

Membership information is usually stored in a group - in the form of the attribute 'member' or 'memberUid'. "member" represents the full DN (distinguished name) of the member object and will look something like this: uid = username, ou = users, dc = example, dc = com. In the case of memberUid, the value will simply be "username".

The way to find out what is used in your directory is to analyze the group using something like Apache Directory Studio .

In addition to the 'member' attribute, AD stores the memberOf attribute in a user record that contains the group DN. But most directories don't do this, which is probably why your code doesn't work.

What you are looking for is a filter:

 // & means "And" the next sibling items: // so "find items that have the objectClass of group and a member whose DN is user_dn (&(objectClass=group)(member=[user_dn]))

or

 (&(objectClass=group)(memberUid=[user_uid]))

So in your case

 $result = ldap_search( $ds, 'dc=mycompany,dc=com', // The base from which to start your search. (could be an OU too, like 'ou=restricted,dc=mycompany,dc=com') '(&(objectClass=group)(member=uid=tom,ou=users,dc=mycompany,dc=com))' );

Or, if your groups switch to memberUid, you change the filter to

 $filter = '(&(objectClass=group)(member=username))';

$ result should contain a list of group entries that have a "username".

PHP LDAP: how to search if a user is in a group?

More articles: