PHP LDAP Get user attributes, including associated groups

Question

PHP LDAP Get user attributes, including associated groups

What is the best way to start a search for the current user to get all attributes, including related groups in Active Directory using LDAP / PHP?

For attributes, basically just the first name, last name, and display name.

For related groups, only groups in which the user is a member, for example, the memberOf function.

I tried several options, but cannot find the right filter / search combination, and most examples cover searching user lists where there is a known group.

I tried to run this after successfully binding:

$attributes = array("displayname"); $filter = "(&(sAMAccountName=$username))"; $result = ldap_search($ds, $ldapconfig['basedn'], $filter, $attributes); $entries = ldap_get_entries($ds, $result); if($entries["count"] > 0){ echo "displayName: ".$entries[0]['displayname'][0]."<br/>"; } else { echo("msg:'".ldap_error($ds)."'</br>"); }

It returns the following error: "There is no such object."

UPDATE:

This is the last block I tried and can get the results when I print the $ info variable, but the for clause is still wrong. I changed basen to dc attributes only:

 $filter="($SearchField=$SearchFor)"; $sr=ldap_search($ds, $basedn, $filter, $LDAPFieldsToFind); $info = ldap_get_entries($ds, $sr); if($info["count"] > 0) { for ($x=0; $x<$info["count"]; $x++) { $sam=$info[$x]['samaccountname'][0]; $giv=$info[$x]['givenname'][0]; $tel=$info[$x]['telephonenumber'][0]; $email=$info[$x]['mail'][0]; $nam=$info[$x]['cn'][0]; $dir=$info[$x]['homedirectory'][0]; $dir=strtolower($dir); $pos=strpos($dir,"home"); $pos=$pos+5; if (stristr($sam, $SearchFor) && (strlen($dir) > 8)) { print "\nActive Directory says that:\n"; print "CN is: ".$nam." \n"; print "SAMAccountName is: ".$sam." \n"; print "Given Name is: ".$giv." \n"; print "Telephone is: ".$tel." \n"; print "Home Directory is: ".$dir." \n"; } } }

Result of print_r:

 ( [count] => 1 [0] => Array ( [cn] => Array ( [count] => 1 [0] => George ) [0] => cn [givenname] => Array ( [count] => 1 [0] => George ) [1] => givenname [memberof] => Array ( [count] => 4 [0] => CN=EQCStaff,CN=Users,DC=EQC,DC=local [1] => CN=RDS Users,OU=Security Groups,OU=Service,DC=EQC,DC=local [2] => CN=SFTP Client Folders,OU=Security Groups,OU=Service,DC=EQC,DC=local [3] => CN=EQC Staff,OU=Security Groups,OU=Service,DC=EQC,DC=local ) [2] => memberof [samaccountname] => Array ( [count] => 1 [0] => gortiz ) [3] => samaccountname [mail] => Array ( [count] => 1 [0] => user@domain.com ) [4] => mail [count] => 5 [dn] => CN=George,OU=Users,OU=Accounts,DC=EQC,DC=local ) )

+6

php active-directory ldap

George Ortiz Jan 16 '13 at 4:53

source share

1 answer

Benny hill · Accepted Answer · 2013-01-16T17:34:59+0000

Here's the script we have for dumping AD information, maybe this will help you:

 <?php $ldap_columns = NULL; $ldap_connection = NULL; $ldap_password = 'top_secret_password'; $ldap_username = ' top_secret_username@ '.LDAP_DOMAIN; //------------------------------------------------------------------------------ // Connect to the LDAP server. //------------------------------------------------------------------------------ $ldap_connection = ldap_connect(LDAP_HOSTNAME); if (FALSE === $ldap_connection){ die("<p>Failed to connect to the LDAP server: ". LDAP_HOSTNAME ."</p>"); } ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version'); ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search. if (TRUE !== ldap_bind($ldap_connection, $ldap_username, $ldap_password)){ die('<p>Failed to bind to LDAP server.</p>'); } //------------------------------------------------------------------------------ // Get a list of all Active Directory users. //------------------------------------------------------------------------------ $ldap_base_dn = 'DC=xyz,DC=local'; $search_filter = "(&(objectCategory=person))"; $result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter); if (FALSE !== $result){ $entries = ldap_get_entries($ldap_connection, $result); if ($entries['count'] > 0){ $odd = 0; foreach ($entries[0] AS $key => $value){ if (0 === $odd%2){ $ldap_columns[] = $key; } $odd++; } echo '<table class="data">'; echo '<tr>'; $header_count = 0; foreach ($ldap_columns AS $col_name){ if (0 === $header_count++){ echo '<th class="ul">'; }else if (count($ldap_columns) === $header_count){ echo '<th class="ur">'; }else{ echo '<th class="u">'; } echo $col_name .'</th>'; } echo '</tr>'; for ($i = 0; $i < $entries['count']; $i++){ echo '<tr>'; $td_count = 0; foreach ($ldap_columns AS $col_name){ if (0 === $td_count++){ echo '<td class="l">'; }else{ echo '<td>'; } if (isset($entries[$i][$col_name])){ $output = NULL; if ('lastlogon' === $col_name || 'lastlogontimestamp' === $col_name){ $output = date('DM d, Y @ H:i:s', ($entries[$i][$col_name][0] / 10000000) - 11676009600); }else{ $output = $entries[$i][$col_name][0]; } echo $output .'</td>'; } } echo '</tr>'; } echo '</table>'; } } ldap_unbind($ldap_connection); // Clean up after ourselves. ?>

PHP LDAP Get user attributes, including associated groups

More articles: