tags:

views:

88

answers:

2
Q: 

How to retrieve user info fra a Active Directory Security Group using LDAP and PHP

As you can see below I'm not getting any user info when I do a LDAP search to the security group. I want to use the $_SERVER[remote_user] to check if the user is a member of this group. I would also like to retrieve the info of this user and update the sql database with it. Is this possible? 

$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";

$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "[email protected]", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);

print_r($entries); returns this:

Array
(
    [count] => 1
    [0] => Array
        (
            [objectclass] => Array
                (
                    [count] => 2
                    [0] => top
                    [1] => group
                )

            [0] => objectclass
            [cn] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [1] => cn
            [description] => Array
                (
                    [count] => 1
                    [0] => Group for (LDAP) INTRANET server access
                )

            [2] => description
            [member] => Array
                (
                    [count] => 4
                    [0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
                    [1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
                    [2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
                    [3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
                )

            [3] => member
            [distinguishedname] => Array
                (
                    [count] => 1
                    [0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
                )

            [4] => distinguishedname
            [instancetype] => Array
                (
                    [count] => 1
                    [0] => 4
                )

            [5] => instancetype
            [whencreated] => Array
                (
                    [count] => 1
                    [0] => 20100711172407.0Z
                )

            [6] => whencreated
            [whenchanged] => Array
                (
                    [count] => 1
                    [0] => 20100712063949.0Z
                )

            [7] => whenchanged
            [usncreated] => Array
                (
                    [count] => 1
                    [0] => 17491499
                )

            [8] => usncreated
            [usnchanged] => Array
                (
                    [count] => 1
                    [0] => 17498823
                )

            [9] => usnchanged
            [name] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [10] => name
            [objectguid] => Array
                (
                    [count] => 1
                    [0] =>
                )

            [11] => objectguid
            [objectsid] => Array
                (
                    [count] => 1
                    [0] =>
                )

            [12] => objectsid
            [samaccountname] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [13] => samaccountname
            [samaccounttype] => Array
                (
                    [count] => 1
                    [0] => 268435456
                )

            [14] => samaccounttype
            [grouptype] => Array
                (
                    [count] => 1
                    [0] => -2147483646
                )

            [15] => grouptype
            [objectcategory] => Array
                (
                    [count] => 1
                    [0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
                )

            [16] => objectcategory
            [count] => 17
            [dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
        )

)

Everything worked fine when I used the normal DN:

$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";

But a AD expert told me this was a big NO-NO and that I should use Security Groups instead :\

+1  A: 

Query the AD like this:

$dn       = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter   = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr       = ldap_search($ad, $dn, $filter);

Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.

Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN through an escaping mechanism before using it in the filter string!

Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.

Tomalak  2010-07-13 10:02:37
Thanks for the quick response! But when I try to use your filter I get this error: PHP Warning: ldap_search() [function.ldap-search]: Search: Operations error in C:\inetpub\wwwroot\test\test.php on line 33 PHP Warning: ldap_get_entries(): supplied argument is not a valid ldap result resource in C:\inetpub\wwwroot\test\test.php on line 35
cvack  2010-07-13 10:17:25
Since I see that you are on Windows, here's a tip. Download Softerra LDAP Browser 2.6 (it's free), connect it to your AD and test your searches with the tool. -- In theory, a base DN of `"DC=mydomain,DC=local"` should work, though.
Tomalak  2010-07-13 12:47:20
cvack  2010-07-14 07:52:28
I see you mention Special Characters. Maybe the error has something to do with it. But I'm not sure I understand it :\
cvack  2010-07-14 07:56:12
@cvack: See this thread (http://drupal.org/node/55735), the issue seems to be described there. Scroll to post #9 and see if that helps. Also check your `ldap_bind()` parameters, usually you bind to AD with a full distinguished name (DN), not with the `"user@domain"` syntax.
Tomalak  2010-07-14 12:34:02
thanks so much for your help :)
cvack  2010-07-15 09:35:14
@cvack: Did it work the way they said in that forum thread? Or was it the changed user name for `ldap_bind()` that made the difference?
Tomalak  2010-07-15 10:19:18
A: 

Tomalak

I think the problem is that not all users in the Security Group comes from the same OU.

If I change 

$dn       = "DC=mydomain,DC=local";

to 

$dn       = "OU=Bergen,DC=mydomain,DC=local";

the filter works. But I also have 2 more OU's with users.

cvack  2010-07-13 10:56:10
Please use the "Answers" section for actual answers to the question (yes, you can answer your own questions). For mere comments, please use the comment feature.
Tomalak  2010-07-13 12:42:47

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases