I need to select a number of attributes for all of the users in a particular group from a PHP application. I realize that I could query the 'member' attribute of the group to get the dn of every member and then make a separate LDAP query for the attributes of each member. I am hoping however, that there is a single query that I can perform that would return all of the results at once however, in order to prevent excess back-and-forth between the PHP app and the LDAP server (AD).
Using an LDAP browser I can successfully run a search over my full domain:
Search DN: DC=middlebury,DC=edu
Filter: (memberOf=CN=BG_Cells,OU=General,OU=Groups,DC=middlebury,DC=edu)
Attributes: objectClass,mail,givenName,sn,sAMAccountName,telephoneNumber
and get back the expected results. When I try this filter using PHP's ldap_search() method however, I get an Operations error with code 1.
Below is the PHP I'm using.
....
$baseDN = 'DC=middlebury,DC=edu';
$filter = '(memberOf=CN=BG_Cells,OU=General,OU=Groups,DC=middlebury,DC=edu)';
$attributes = array('objectClass','mail','givenName','sn','sAMAccountName','telephoneNumber');
$result = ldap_search($connection, $baseDN, $filter, $attributes);
if (ldap_errno($connection))
print "Read failed for $filter with message: ".ldap_error($connection).", #".ldap_errno($ connection));
Other filters work just fine with these attributes and using just array('mail') or an empty array for the attributes does not get rid of the error result, so I'm sure the problem is with my filter rather than the connection or attribute set.
A second option would be to do one query for the group member dns in the 'member' field of the group and then build a long OR query with every member dn. This still would involve two queries however.
So is there a better way to get each member's attributes, ideally in one query?