downloads | documentation | faq | getting help | mailing lists | licenses | wiki | reporting bugs | php.net sites | conferences | my php.net

search for in the

ldap_set_option> <ldap_sasl_bind
[edit] Last updated: Fri, 07 Jun 2013

view this page in



ldap_set_option> <ldap_sasl_bind
[edit] Last updated: Fri, 07 Jun 2013
 
add a note add a note User Contributed Notes ldap_search - [44 notes]
up
1
Arnold
2 years ago
I have been working on a script where I needed to get all the users who were member of a specific MS AD group. Because of PHP bug #42060 ( http://bugs.php.net/bug.php?id=42060 ) I could not get all the users back who were member of the group.
After googling for a day I found an article and a patch but it required that I downloaded the source code for php 5.1.6 or 5.2.10 run the patch and than recompile the code to fix the problem.
Problem was
1) I am not a Linux goeroe so I was not very comfortable doing this....
2) I am running the script on a production machine with other code using PHP and did not know what the consequence would bee for that code.
3) I could not update PHP anymore because in newer versions this patch would probably not work any more.

But yesterday I saw the light and wrote some code to get around this problem, maybe other people can use it that have the same problem.

<?PHP
$startFilter        = "(&(memberOf=" .$ADGroup. "))";
$startResults        = ldap_search($ldapconnect, $userBase, $startFilter, $attr);
$countResult        = ldap_count_entries($ldapconnect,$startResults);

IF($countResult == 1000 OR $countResult == 1500)
{
    // loop trough the number 97-122 (ASCII number for the characters a-z)
    For($a=97;$a<=122;$a++)
    {
        // translate the number to a character
        $character            = chr($a);
        // the new search filter withs returns all users with a last name starting with $character
        $filter            = "(&(sn=$character*)(memberOf=$ADGroup))";
        $results        = ldap_search($ldapconnect, $userBase, $filter, $attr);
        $countResult2    = ldap_count_entries($ldapconnect,$results);
           
        // See if the search for all users starting with a specific character still hits the search limit
        // if so than do a new search to find all the users where the last name starts with "aa" and
        // than with "ab", "ac" etc. etc
        // In the best case we can now find 675.324 users per group when the search limit is 1000
        // ((26 * 999  for the fist character) * 26 for the second character)
        // and 1.013.324 when the search limit is 1500
        If($countResult2 == 1000 or $countResult2 == 1500)
        {
            For($b=97;$b<=122;$b++)
            {
                $character2    = chr($b);
                $filter2    = "(&(sn=$character$character2*)(memberOf=$ADGroup))";
                $results2    = ldap_search($ldapconnect, $userBase, $filter2, $attr);
                $count2        = ldap_count_entries($ldapconnect,$results2);   
                $entries2    = ldap_get_entries($ldapconnect,$results2);                       
               
                // do your thing
            }
        }
        Else
        {
            $entries            = ldap_get_entries($ldapconnect,$results);
            // do your thing
        }
    }
}
else
{
    $entries            = ldap_get_entries($ldapconnect,$startResults);
    // do your thing
}
?>
up
1
Anonymous
7 years ago
HOWTO list LDAP users.

This CODE list one user from LDAP tree, but I' like list all user from LDAP one ou=Organization

<?php

$ldaprdn = 'cn=user,dc=domain,dc=org';
$ldappass = 'password';
$sdn = 'cn=user,ou=group,dc=domain,dc=org';

$ldapconn = ldap_connect("ldap://localhost", 389)
or die("Not connect: $ldaphost ");

if ($ldapconn) {

// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

// verify binding
if ($ldapbind) {
$filter="uid=*";
$justthese = array("uid");

$sr=ldap_read($ldapconn, $srdn, $filter, $justthese);
$entry = ldap_get_entries($ldapconn, $sr);

} else {
echo "LDAP conn ok...";
}

}

ldap_close($ldapconn);

?>
<?php
echo $entry[0]["mail"][0] . " mail adress ";
echo $entry[0]["sn"][0] . " Name ";
?>
up
0
jayleno at yahoo dot com
1 month ago
<?php
set_time_limit(30);
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);

// config
$ldapserver = 'svr.domain.com';
$ldapuser      = 'administrator'
$ldappass     = 'PASSWORD_HERE';
$ldaptree    = "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=myDomain,DC=local";

// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");

if($ldapconn) {
    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...<br /><br />";
       
       
        $result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));
        $data = ldap_get_entries($ldapconn, $result);
       
        // SHOW ALL DATA
        echo '<h1>Dump all data</h1><pre>';
        print_r($data);   
        echo '</pre>';
       
       
        // iterate over array and print data for each entry
        echo '<h1>Show me the users</h1>';
        for ($i=0; $i<$data["count"]; $i++) {
            //echo "dn is: ". $data[$i]["dn"] ."<br />";
            echo "User: ". $data[$i]["cn"][0] ."<br />";
            if(isset($data[$i]["mail"][0])) {
                echo "Email: ". $data[$i]["mail"][0] ."<br /><br />";
            } else {
                echo "Email: None<br /><br />";
            }
        }
        // print number of entries found
        echo "Number of entries found: " . ldap_count_entries($ldapconn, $result);
    } else {
        echo "LDAP bind failed...";
    }

}

// all done? clean up
ldap_close($ldapconn);
?>
up
0
kandsobrien at gmail dot com
1 year ago
I wanted to look up some information from various fields of our Active Directory LDAP server. I thought I would contribute the results of that research here:

<?php
/**************************************************
  Bind to an Active Directory LDAP server and look
  something up.
***************************************************/
  $SearchFor="fred";               //What string do you want to find?
  $SearchField="samaccountname";   //In what Active Directory field do you want to search for the string?

  $LDAPHost = "10.10.10.10";       //Your LDAP server DNS Name or IP Address
  $dn = "DC=whatever,DC=whatever"; //Put your Base DN here
  $LDAPUserDomain = "@something.something"//Needs the @, but not always the same as the LDAP server domain
  $LDAPUser = "ldapuserid";        //A valid Active Directory login
  $LDAPUserPassword = "passforuser";
  $LDAPFieldsToFind = array("cn", "givenname", "samaccountname", "homedirectory", "telephonenumber", "mail");
   
  $cnx = ldap_connect($LDAPHost) or die("Could not connect to LDAP");
  ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);  //Set the LDAP Protocol used by your AD service
  ldap_set_option($cnx, LDAP_OPT_REFERRALS, 0);         //This was necessary for my AD to do anything
  ldap_bind($cnx,$LDAPUser.$LDAPUserDomain,$LDAPUserPassword) or die("Could not bind to LDAP");
  error_reporting (E_ALL ^ E_NOTICE);   //Suppress some unnecessary messages
  $filter="($SearchField=$SearchFor*)"; //Wildcard is * Remove it if you want an exact match
  $sr=ldap_search($cnx, $dn, $filter, $LDAPFieldsToFind);
  $info = ldap_get_entries($cnx, $sr);
 
  for ($x=0; $x<$info["count"]; $x++) {
    $sam=$info[$x]['samaccountname'][0];
    $giv=$info[$x]['givenname'][0];
    $tel=$info[$x]['telephonenumber'][0];
    $email=$info[$x]['mail'][0];
    $nam=$info[$x]['cn'][0];
    $dir=$info[$x]['homedirectory'][0];
    $dir=strtolower($dir);
    $pos=strpos($dir,"home");
    $pos=$pos+5;
    if (stristr($sam, "$SearchFor") && (strlen($dir) > 8)) {
      print "\nActive Directory says that:\n";
      print "CN is: $nam \n";
      print "SAMAccountName is: $sam \n";
      print "Given Name is: $giv \n";
      print "Telephone is: $tel \n";
      print "Home Directory is: $dir \n";
    }  
  }  
  if ($x==0) { print "Oops, $SearchField $SearchFor was not found. Please try again.\n"; }
?>
up
0
Jean-Loup
1 year ago
Example of parallel search :

<?php
$basedn=array('dmdName=users,dc=foo,dc=fr','dmdName=users,dc=bar,dc=com');  // two basedn
$filter='(&(objectClass=inetOrgPerson)(uid=*))'// single filter
$attributes=array('dn','uid','sn');

$cnx = ldap_connect('localhost',389); // single connection
ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);

ldap_bind($cnx,'uid=root,dc=foo,dc=fr','password');  // authentication on two BDB
ldap_bind($cnx,'uid=root,dc=bar,dc=com','password');

$search = ldap_search(array($cnx,$cnx),$basedn,$filter,$attributes);  // search

// result
for($i=0;$i<count($search);$i++){
    print_r(ldap_get_entries($cnx,$search[$i]));
    print "\n";
}
?>
up
0
info at acpower dot biz
1 year ago
I'm a newbie, so I hope this helps some other newbie with a head scratcher...

This code returned an error of 'No Such Object':

<?php

    $search = ldap_search ($ldapcon, "cn=admin,dc=acpower,dc=biz", "(filters)");

?>

I took out the cn, and magic! it works:

<?php

    $search = ldap_search ($ldapcon, "dc=acpower,dc=biz", "(filters)");

?>
up
0
nick
1 year ago
Results from ActiveDirectory may be ordered by objectSid.
We can get all users for each page size by modify filter.

<?php
// ... connect to ldap
$lastsid='';
while (1) {
    $filter = '(objectClass=user)';
    if (strlen($lastsid)) {
        list($v)=array_values(unpack('V',substr($lastsid,24))); // id for user.
        $s = substr($lastsid,0,24).pack('V',1+$v); // next sid.
        $s = preg_replace('/../','\\\\$0',bin2hex($s)); // escape for fiter
        $filter = '(&'.$filter.'(objectSid>='.$s.'))'; // fiter for next entries.
    }
    $res = ldap_search($ldap,$basedn,$filter,array('objectSid','cn'));
    if (!ldap_count_entries($ldap,$res)) {
        break;
    }
    for ($ent=ldap_first_entry($ldap,$res); $ent; $ent=ldap_next_entry($ldap,$ent)) {
        list($lastsid) = ldap_get_values_len($ldap,$ent,'objectSid');
    }
}
?>
up
0
David Fontanella
3 years ago
To get all attributes + special attributes:

<?php
ldap_search(..., $filter, array('*','createtimestamp','modifytimestamp'));
?>

* -> all attributes (normally requested by default)
+
the special attributes you want
up
0
ben _at_ onshop.co.uk
3 years ago
Following from my note of 11-Nov-2009 06:56 regarding DN issues when using LDAP instead of the Global Catalog when querying AD, further investigation was showing that although the results were in the packet, I was getting an error instead:

'Search: Can't contact LDAP server' AKA Error 81.

Using more detailed analysis:

ldap_get_option($ds,LDAP_OPT_ERROR_STRING,$error);

echo $error

Displayed:

Referral: ldap://DomainDnsZones.defg.de.bc.ac.uk/ DC=DomainDnsZonesDC=defg,DC=de,DC=abc,DC=ac,DC=uk

By using trial and error, the error went away and results returned when using:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
up
0
ben _at_ onshop_co_uk
3 years ago
When searching Active Directory, if you are not getting all the attributes back you are expecting such as AD system/hidden attributes such as 'employeeType' then check the following:

First, ensure you are not connecting to the Global Catalog port (e.g. 3269/3268). You need to connect to an LDAP port such as 636 (SSL) or 389 (non-SSL).

Second, check the DN you are binding with when changing from the Global Catalog port to an LDAP port. I found that a DN without an OU returned a 'Search: Can't contact LDAP server' error. For example this fails:

DC=defg,DC=de,DC=abc,DC=ac,DC=uk

Whilst adding the OU to the DN returned an error free result:

OU=FGH,DC=defg,DC=de,DC=abc,DC=ac,DC=uk

If you consequently need to interrogate multiple DNs then an array of DNs can be passed to ldap_search.
up
0
ben _at_ onshop_co_uk
3 years ago
Example to illustrate searching more than one DN (multiple DNs):

<?php
$ds=ldap_connect($ldapserver);

$dn[]='OU=ABC,DC=xyz,DC=ac,DC=uk';
$dn[]='OU=DEF,DC=xyz,DC=ac,DC=uk';

$id[] = $ds;
$id[] = $ds;

$filter = 'samaccountname='.$_POST['username'];
 
$result = ldap_search($id,$dn,$filter);

$search = false;

foreach ($result as $value) {
    if(ldap_count_entries($ds,$value)>0){
        $search = $value;
        break;
    }
}

if($search){
    $info = ldap_get_entries($ds, $search);
}else{
    $info = 'No results found';
}
?>
up
0
eugene at hutorny dot in dot ua
3 years ago
This function accepts LDAP search results and return a flat table (2-d array) with search results.
<?php
/*
 * This function returns flat table out of search results
 * $ad - a valid connection to Active Directory (returned by ldap_connect)
 * $sr - a search result (returned by ldap_search)
 * $key- an attribute name to be used as the key in the resulting array
 * Returns 2-d array as the following:
 *   return_value["keyfieldvalue"]["attributename"] = "attribute value"; // entries with key filed present
 *  return_value[i]["attributename"] = "attribute value"; // entries with key fields missing
 */
function ldap_flatresults($ad,$sr,$key=false) {
  for ($entry=ldap_first_entry($ad,$sr);
            $entry!=false;
            $entry=ldap_next_entry($ad,$entry)) {
    $user = array();
    $attributes = ldap_get_attributes($ad,$entry);
    for($i=$attributes['count'];$i-- >0;) {
          $user[strtolower($attributes[$i])] = $attributes[$attributes[$i]][0];
    }
    if( $key && $user[$key] )
      $users[strtolower($user[$key])] = $user;
    else
      $users[] = $user;
  }
  return $users;
}
?>
up
0
rtdees at gapac dot com
3 years ago
As of today, I have found for me that ldap_search and ldap_list are reversed in functionality.  ldap_list now searches the subtree and ldap_search does not.  This is witnessed when searching against an AD forest running on Windows 2008 in what I believe is 2003 mode.
up
0
douglass_davis at earthlink dot net
4 years ago
A better ldap_escape, if you don't need nested filters such as those in the Pear package.  Escapes for both filters and distinguished names.

<?php
function ldap_escape($str, $for_dn = false)
{
   
    // see:
    // RFC2254
    // http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx
    // http://www-03.ibm.com/systems/i/software/ldap/underdn.html       
       
    if  ($for_dn)
        $metaChars = array(',','=', '+', '<','>',';', '\\', '"', '#');
    else
        $metaChars = array('*', '(', ')', '\\', chr(0));

    $quotedMetaChars = array();
    foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.str_pad(dechex(ord($value)), 2, '0');
    $str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
    return ($str);
}
?>
up
0
beni at php dot net
4 years ago
Please note, that your example is not fully implementing filter escaping needs and is thus not safe for every case (see RFC 2254).

Filter stuff is also available in pears Net_LDAP: http://pear.php.net/manual/en/package.networking.net-ldap.filter.php

With this class you can easily create nested filters without worrying for escaping issues (those are handled by the class itnernally in a rfc compatible maner).
up
0
metala at metala dot org
5 years ago
// Escape string
// see: RFC2254
function ldap_escape($str){
    $metaChars = array('\\', '(', ')', '#', '*');
    $quotedMetaChars = array();
    foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.dechex(ord($value));
    $str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
    return ($str);
}
up
0
chrisbloom7 at gmail dot com
5 years ago
Here are a couple of resources for proper construction of filters.

http://msdn2.microsoft.com/En-US/library/aa746475.aspx

http://technet.microsoft.com/en-us/library/aa996205.aspx

Before finding these I had been stumped for hours on how to do something like "all users starting with "a" except those from OU 'foo'"
up
0
beni at php dot net
5 years ago
LDAP stuff is very nicely capsulated in the object oriented Net_LDAP class provided by PEAR:
http://pear.php.net/package/net_ldap
up
0
lifo at liche dot net
6 years ago
When I discovered I couldn't get searches to work with complex strings (in my case searching on displayName which can have parens and slashes in it). I made this quick function to quote ldap strings in accordance with the RFC. Except I encode spaces as well since searching wouldn't work with spaces. Note, technically speaking a search filter can be encoded into the \xx format for all characters but then filters wouldn't be human readable.

I'm somewhat surprised there wasn't a built in ldap_quote() type of function already.
<?php
// see: RFC2254
function ldap_quote($str) {
        return str_replace(
                array( '\\', ' ', '*', '(', ')' ),
                array( '\\5c', '\\20', '\\2a', '\\28', '\\29' ),
                $str
        );
}
?>
up
0
Allie
6 years ago
I just posted on the ldap_bind, but I figured it couldn't hurt here since this was the first place I stopped when trying to figure out my problem.  My error pointed to ldap_search, but specifying the ldap_connect port was the fix.

When you want to search the entire directory for MS AD, you must specify port 3268 in your bind.  This is also true for apache auth_ldap.

 $ldapserver = ldap_connect($server,3268);
up
0
cbrinker at contronicssolutions dot com
6 years ago
I was completely lost trying to setup LDAP access with a Windows Server 2003 environment, but I finally got it to work. Here's a lifesaving tip:

-Script/web server cannot be located on the Active Directory server that you are querying

As well, here's the sample code I used:

<?php
    //This code cannot be executed on the same server as AD is installed on!!!
   
    //Connect
    $ad = ldap_connect("ad server");
   
    //Set some variables
    ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
   
    //Bind to the ldap directory
    $bd = ldap_bind($ad,"user@domain.com","password")
        or die("Couldn't bind to AD!");

    //Search the directory
    $result = ldap_search($ad, "OU=orginizational unit,DC=domain,DC=com", "(CN=*)");

    //Create result set
    $entries = ldap_get_entries($ad, $result);
   
    //Sort and print
    echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";

    for ($i=0; $i < $entries["count"]; $i++)
    {
        echo $entries[$i]["displayname"][0]."<br />";
    }

    //never forget to unbind!
    ldap_unbind($ad);
?>
up
0
buhreen at shaw dot ca
7 years ago
If you are just trying to run LDAP searches against Active Directory, you might find it easier to use the COM objects and use the ADSI ldap search function.  This allows you to use SQL based LDAP queries.  It also allows you to perform subtree level searches in AD.

Here is a quick example.

<?php

$Conn = New COM("ADODB.Connection");
$RS = New COM("ADODB.Recordset");

$Conn->Provider = "ADsDSOObject";
$Conn->Properties['User ID'] = "CN=ZimZam,CN=Users,DC=corp,DC=ad,DC=bob,DC=prv";
$Conn->Properties['Password'] = "anythingyouwant";
$strConn = "Active Directory Provider";
$Conn->Open($strConn);

$strRS = "Select givenname,sn,displayName,mail,SAMAccountName from 'LDAP://corp.ad.bob.prv/DC=corp,DC=ad,DC=bob,DC=prv' where objectClass='user' and SAMAccountName='abc123';

$RS->Open($strRS, $Conn, 1, 1);
echo $RS['givenname'] ." - ". $RS['sn'] ." - ". $RS['displayName'] ." - ". $RS['mail'] ." - ".  $RS['SAMAccountName'] ."<br>";

$RS->Close;
$Conn->Close;
?>
up
0
cruzfern at chuchuwa dot com dot ar
7 years ago
The internal attributes (like createTimestamp, modifyTimestamp, etc), don't come by default (when the optional parameter attributes is not set). You have to specify it:

<?
$r=ldap_search($ds,$base,$filter,array("createTimestamp"));
?>
up
0
fmouse at fmp dot com
8 years ago
It appears that the Netscape Directory SDK (developer.netscape.com) referenced for LDAP filter information is no longer accepting connections.   The A copy of RFC 2254 which defines the standard for string representations of LDAP filters can be found  at http://www.ietf.org/rfc/rfc2254.txt
up
0
openldap at mail dot doris dot cc
8 years ago
PHP 4.3.10

I was trying to do an ldapsearch without a basedn.  First, I tried with ' ', as suggested above, but it gave me invalid dn syntax error.

ie:
$sr=ldap_search($ds, ' ', $filter);
Warning: ldap_search(): Search: Invalid DN syntax in ...

Then I changed it to
$sr=ldap_search($ds, "", $filter);

Which gave me the following error:
Warning: ldap_search(): Search: No such object in ...

With that I then modified my ldap.conf file and commented out the BASE field
#BASE   dc=example, dc=com

Then it worked!

So it looks like if you supply a blank basedn, then it will use your default basedn in ldap.conf.
up
0
rsu_friend at yahoo dot com
8 years ago
I was doing a ldap_search with
$searchbasedn = "miDomainName=" . $_SESSION['selectDomain'] ."," . LDAP_DOMAINBASE;
$filter = "(&(mpsAccountNumber=". $acctNumber .")(objectclass=mpsAccountDetails))";   
$attributes = array("mpsparentchild");

 $sr = ldap_search($ldapconn, $searchbasedn, $filter,$attributes); 

For some reasone this search was failing
but I was able to do successful search only when I gave the search filter as
$filter = "(&(mpsAccountNumber= $acctNumber )(objectclass=mpsAccountDetails))";   

I did not get why the ldap_search was not able to search in the first case.
up
0
sema at technion dot ac dot il
8 years ago
In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0:

ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);

Without this, you will get "Operations error" if you try to search the whole AD schema (using root of the domain as a $base_dn).

As opposed to Windows 2000 Server, where this option was optional and only increased the performance.
up
0
chester at the dot underground dot com dot au
9 years ago
If you are searching active directory and are experiencing lag or time outs, it may be that you are being given ldap referrals from the ldap server. The following code will disable this.

<?
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
?>
up
0
sembiance at cosmicrealms dot com
9 years ago
When searching for BINARY data (such as an Active Directory objectGUID) you need to escape each hexadecimal character with a backslash.

The following command line run of ldapsearch shows:
ldapsearch -b "dc=blahblah,dc=com" "(objectGUID=\AE\C3\23\35\F7)"

In PHP, you need to escape the escape for the backslash:
ldap_search($ds,"dc=blahblah,dc=com", "(objectGUID=\\AE\\C3\\23\\35\\F7)");
up
0
francis dot tyers at hp dot com
9 years ago
it seems that all fields must be used in lower case even if they are mixed case in the ldapsearch output.

example:

gidNumber: 1010
homeDirectory: /home/dnt

must be:

echo "gid: " . $info[$i]["gidnumber"][0] . "<br>";
echo "home directory: ". $info[$i]["homedirectory"][0] ."<br>";

not ( $info[$i]["homeDirectory"][0] ) etc.
up
0
nicolas at atanis dot net
9 years ago
Here is a little script that make a complete subtree search ( i know a script above seems do that but it doesnt work fine)
This is my version:

Voila ce que j'ai fait aujourd'hui ...

      $ldap_host = "192.168.0.50";
    $ldap_port = "389";
    $base_dn = "dc=fr";
    $filter = "(cn=*)";
    $ldap_user ="cn=admin,dc=fr";
    $ldap_pass = "hellodelu";
    $connect = ldap_connect( $ldap_host, $ldap_port);
    ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);

    $bind = ldap_bind($connect, $ldap_user, $ldap_pass);
    $read = ldap_search($connect, $base_dn, $filter);
   
    $info = ldap_get_entries($connect, $read);
    echo $info["count"]." entrees retournees<BR><BR>";
    for($ligne = 0; $ligne<$info["count"]; $ligne++)
    {
        for($colonne = 0; $colonne<$info[$ligne]["count"]; $colonne++)
        {
            $data = $info[$ligne][$colonne];
            echo $data.":".$info[$ligne][$data][0]."<BR>";
        }
        echo "<BR>";
    }
ldap_close($connect);

--------
nicolas
up
0
me at gavinadams dot org
9 years ago
Minor clarification on AD LDAP searchs. Small typo in previous example, and does not display multiple values per attribute. Here's the for loop to enumerate all entries, attributes, and values:

$bind = ldap_bind($connect) // asume anon connect or add user/pass
     or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
     or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<br>";
// $i = entries
// $ii = attributes for entry
// $iii = values per attribute
for ($i = 0; $i<$info["count"]; $i++) {
  for ($ii=0; $ii<$info[$i]["count"]; $ii++){
     $data = $info[$i][$ii];
     for ($iii=0; $iii<$info[$i][$data]["count"]; $iii++) {
       echo $data.":&nbsp;&nbsp;".$info[$i][$data][$iii]."<br>";
     }
  }
echo "<p>"; // separate entries
up
0
php @ fccfurn dot com
10 years ago
To do subtree search from top DN in Active Directory, Make sure you do your ldap_set_option().

<?php
$ldap_host = "pdc.php.net";
$base_dn = "DC=php,DC=net";
$filter = "(cn=Joe User)";
$ldap_user  = "CN=Joe User,OU=Sales,DC=php,DC=net";
$ldap_pass = "pass";
$connect = ldap_connect( $ldap_host, $ldap_port)
         or exit(">>Could not connect to LDAP server<<");
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
      or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
      or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<p>";
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
    $data = $info[$i][$ii];
    echo $data.":&nbsp;&nbsp;".$info[$i][$data][0]."<br>";
}
ldap_close($connect);
?>
up
0
Kamil Kukura <kamk at nexen dot cz>
10 years ago
When I tried to search with empty base DN on OpenLDAP server which had "" namingContext I got result "no such object". In the log file there was query for dn: dc=example,dc=com (!).
As a workaround, it seems it's enough to feed it with space (' ') as base DN - ldap_search($ds, ' ', '(...filter...)', ...
up
0
neumeyed at city dot bloomington dot in dot us
10 years ago
A previous comment noted: "I've also noticed that the departmentNumber, employeeNumber (and maybe others in inetorgperson.schema) are not returned from a search."

This is incorrect. These attributes are returned, but you must reference them with lowercase names. That is, instead of doing this:

$entries[0]["departmentNumber"][0]

Do this:

$entries[0]["departmentnumber"][0]

This doesn't seem like "correct" behavior to me, but I don't know enough about LDAP to say for sure.
up
0
nick dot veitch at futurenet dot co dot
10 years ago
It might be useful to list here the operators that work:

=         - matches exact value
=*xxx  - matches values ending xxx
=xxx*  - matches values beginning xxx
=*xxx* - matches values containing xxx
=*       - matches all values (if set - NULLS are not returned)

>=xxx  - matches everthing from xxx to end of directory
<=xxx  - matches everything up to xxx in directory

~=xxx      - matches similar entries (not all systems)

Boolean operators for constructing complex search

&(term1)(term2)  - matches term1 AND term2
| (term1)(term2)  - matches term1 OR term2
!(term1)                 - matches NOT term1
&(|(term1)(term2))(!(&(term1)(term2)) - matches XOR term1 term2

some of the more compelx constructions seem to work with varying  degrees of efficiency - sometimes it can be better to filter some of the results with the search and do further filtering in PHP.
up
0
emrecio at netscape dot net
10 years ago
implode(", ",$uentry[0]["rfc822mailalias"]);

doesn't work as expected because "count" is in there... one /must/ use the 'for' loop to cycle through results (discarding "count" element).
up
0
jpdalbec at ysu dot edu
10 years ago
I've found that spaces need to be escaped in search filters ("\20"), at least using the Red Hat PHP 4.1.2 package.  Otherwise no results are returned.
up
0
john_taylor_1973 at yahoo dot com
10 years ago
Try to use ldap_list(), if possible.  It is much faster.  ldap_search searches a scope of LDAP_SCOPE_SUBTREE, but ldap_list searches a scope of just LDAP_SCOPE_ONELEVEL.  This made a big difference on Novell eDirectory 8.6.1, even for a query that only returned 130 objects.  Using an attribute list, the 4th function parameter (of either function), also made queries faster.
up
0
Anonymous
11 years ago
I used the following to retrieve all entries from an ILS (Netmeeting) Server:<p>    $sr=ldap_search($ds, "objectclass=rtperson","(&(cn=%)(objectclass=rtperson))");
<p>Have fun!
<p>Kees
up
0
cdaveb at csua dot berkeley dot edu
12 years ago
FYI, for those doing LDAP searches on Exchange servers, there seems to be some preference in Exchange to disallow searches that aren't initial searches (i.e. only x* will work, not * or *x). I'd been going nuts trying to figure out why I kept getting errors doing * searches.

More info at:
http://www.microsoft.com/Exchange/en/55/help/documents/server/XOG16007.HTM
up
0
aa529 at nospamchebucto dot ns dot ca
13 years ago
Be careful of special characters when generating filters from user input.

*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC 2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)
up
-1
john dot saterfiel at act dot org
3 years ago
Here's an example of how to connect to an active directory (2003 windows ad tested). And retrieve a specific person's information when given only their username (sAMAccountName).  Note: I have noticed that some active directory servers do care about what case the attributes are in and others don't.  This site was very useful in looking up the AD attributes but I did have to lowercase them all to work for me.
Do a google search on "active directory person attributes" to find the site. www.computerperformance.co.uk

I doubt the code below will work for everybody as is but it should give ad users a good start in how to get a logged in user's data without knowing what organization or security group they're in.  This was needed because my company didn't put all their users in the same organization.

<?PHP
$ldap_url = 'examplead.mycomp.com';
$ldap_domain = 'mycomp.com';
$ldap_dn = "dc=mycomp,dc=com";

$ds = ldap_connect( $ldap_url );
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

$username = "your_user_name_here";
//must always check that password length > 0
$password = "your_password_here";

// now try a real login
$login = ldap_bind( $ds, "$username@$ldap_domain", $password );
echo '- Logged In Successfully<br/><br/>';
try{
$attributes = array("displayname", "mail",
"department",
"title",
"physicaldeliveryofficename",
"manager");
$filter = "(&(objectCategory=person)(sAMAccountName=$username))";

$result = ldap_search($ds, $ldap_dn, $filter, $attributes);

$entries = ldap_get_entries($ds, $result);

if($entries["count"] > 0){
//echo print_r($entries[$i],1)."<br />";
echo "<b>User Information:</b><br/>";
echo "displayName: ".$entries[0]['displayname'][0]."<br/>";
echo "email: ".$entries[0]['mail'][0]."<br/>";
echo "department: ".$entries[0]['department'][0]."<br/>";
echo "title: ".$entries[0]['title'][0]."<br/>";
echo "office: ".$entries[0]['physicaldeliveryofficename'][0]."<br/>";
//echo "manager: ".$entries[$i]['manager'][0]."<br/>";
$manager_result = ldap_search($ds,
$entries[0]['manager'][0],
'(objectCategory=person)',
array("displayname"));

$manager_entries = ldap_get_entries($ds, $manager_result);
if($manager_entries["count"] > 0){
echo "manager: ". $manager_entries[0]['displayname'][0];
}
}
}catch(Exception $e){
ldap_unbind($ds);
return;
}
ldap_unbind($ds);
echo '<br/><br/>- Logged Out';
?>
up
-2
Alain SCHNERB
6 years ago
I had problem searching into Microsoft Active Directory
with ldap_search.

System administrator does not want to change the 1.000 limit
of returned result because of Domain Controler performance.

Here is a example of code that activates the Page Mode.

See "searching with ActiveX Data Objects (ADO)" on MSDN
for more details.

$connection = New COM("ADODB.Connection");
$commande = New COM("ADODB.Command");
$resultat = New COM("ADODB.Recordset");
$connection->Provider = "ADsDSOObject";
$connection->Open();
$commande->ActiveConnection = $connection ;
$commande->Properties["Cache results"] = false;

// ACTIVATE PAGE MODE
$commande->Properties["Page size"] = 1000;

$recherche1 = "<LDAP://OU=XXXX,OU=Ressources_Locales,DC=COMMUN,
DC=AD,DC=YYYY,DC=FR>";
$recherche2 = ";(&(objectCategory=group)
(sIDHistory=*));distinguishedname;subtree";

$commande->commandtext = $recherche1.$recherche2;
$resultat = $commande->Execute();

$count = 0;
while (!$resultat->eof())
    {
    if ($count<10)
        echo $resultat["distinguishedname"]."<br>";       
    $resultat->MoveNext();
    $count = $count +1;
    }
echo $count."<br>";
add a note add a note

 
show source | credits | stats | sitemap | contact | advertising | mirror sites