Active Directory Lookup via PHP

Question

How can you do an Active Directory lookup via PHP? Without needing to recompile PHP. PHP version is 5.3

I want to find a persons display name from their user name. Web server is IIS 6 and PHP is served using FastCGI.

I get the username with:

$cred = explode('\\',$_SERVER['REMOTE_USER']);
if (count($cred) == 1) array_unshift($cred, "(no domain info - perhaps SSPIOmitDomain is On)");
list($domain, $user) = $cred;
return $user;

So how can I then find the name? e.g. DoeJ = John Doe

Edit:

Trying to lookup user, but not sure how to find the "base DN". Don't have direct access to the Active Directory server or have admin rights, so connecting anonymously.

<?php

//using ldap bind anonymously

// connect to ldap server
$ldapconn = ldap_connect("example.co.uk")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding anonymously
    $ldapbind = ldap_bind($ldapconn);

    if ($ldapbind) {
        echo "LDAP bind anonymous successful...";

        ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION,3);
        ldap_set_option($ldapconn, LDAP_OPT_REFERRALS,0);

        $dn = "CN=Users"; // also tried DC=example,DC=co,DC=uk
        $filter="(SAMAccountName=username)";
        $justthese = array("ou", "sn", "givenname", "mail");

        $sr=ldap_search($ldapconn, $dn, $filter, $justthese);

        $info = ldap_get_entries($ds, $sr);

        echo $info["count"]." entries returned\n";

    } else {
        echo "LDAP bind anonymous failed...";
    }
}
?>

Fails on the ldap_search: Warning: ldap_search() [function.ldap-search]: Search: Operations error

Answer 1

PHP has a LDAP library which you can use to query an active directory. It's not enabled by default though.

If you can use it, you can look at ldap_search()

Answer 2

Since you're using IIS than that means that you are running php on windows, that in turn means that you can enable the LDAP extension without recompiling php. That should solve most of your problems.

Answer 3

OK - first of all, you need the ext/ldap to communicate with your Active Directory server via the LDAP interface. Obviously this requirement is met with your PHP installation (otherwise you'd get errors about undefined functions).

The question now is: what Windows server are you coding against? From Windows Server 2003 onwards anonymous binds are disabled by default, which means that you cannot search the Active Directory tree without authenticating with an existing and authorized user first. (To enable anonymous binds please see here - but as you don't have any admin rights, you won't be able to change this)

The second problem is your base DN which actually is the location within your LDAP tree from which on a search operation will be executed. The normale base DN for the users' container should be CN=Users,DC=yourdomain,DC=yourtopleveldomain, which is for example CN=Users,DC=example,DC=local.

The filter you're using is correct actually: (SAMAccountName=username) will find the account entry for user username. To use your username variable you can do:

$filter = sprintf('(SAMAccountName=%s)', $user);

The general code flow, though, seems to be correct, too.

To summarize: you'll have to check first if your Active Directory allows anonymous binds and then you'll have to adjust your search's base DN. If no anonymous binds are allowed you'll have to use a user that is authorized to bind to the Active Directory.