(PHP 4, PHP 5)
ldap_search — Search LDAP tree
$link_identifier
, string $base_dn
, string $filter
[, array $attributes
[, int $attrsonly
[, int $sizelimit
[, int $timelimit
[, int $deref
]]]]] )
Performs the search for a specified filter on the directory with the scope
of LDAP_SCOPE_SUBTREE. This is equivalent to searching
the entire directory.
From 4.0.5 on it's also possible to do parallel searches. To do this
you use an array of link identifiers, rather than a single identifier,
as the first argument. If you don't want the same base DN and the
same filter for all the searches, you can also use an array of base DNs
and/or an array of filters. Those arrays must be of the same size as
the link identifier array since the first entries of the arrays are
used for one search, the second entries are used for another, and so
on. When doing parallel searches an array of search result
identifiers is returned, except in case of error, then the entry
corresponding to the search will be FALSE. This is very much like
the value normally returned, except that a result identifier is always
returned when a search was made. There are some rare cases where the
normal search returns FALSE while the parallel search returns an
identifier.
link_identifier
An LDAP link identifier, returned by ldap_connect().
base_dn
The base DN for the directory.
filter
The search filter can be simple or advanced, using boolean operators in the format described in the LDAP documentation (see the » Netscape Directory SDK for full information on filters).
attributes
An array of the required attributes, e.g. array("mail", "sn", "cn"). Note that the "dn" is always returned irrespective of which attributes types are requested.
Using this parameter is much more efficient than the default action (which is to return all attributes and their associated values). The use of this parameter should therefore be considered good practice.
attrsonly
Should be set to 1 if only attribute types are wanted. If set to 0 both attributes types and attribute values are fetched which is the default behaviour.
sizelimit
Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
Note:
This parameter can NOT override server-side preset sizelimit. You can set it lower though.
Some directory server hosts will be configured to return no more than a preset number of entries. If this occurs, the server will indicate that it has only returned a partial results set. This also occurs if you use this parameter to limit the count of fetched entries.
timelimit
Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
Note:
This parameter can NOT override server-side preset timelimit. You can set it lower though.
deref
Specifies how aliases should be handled during the search. It can be one of the following:
LDAP_DEREF_NEVER - (default) aliases are never
dereferenced.
LDAP_DEREF_SEARCHING - aliases should be
dereferenced during the search but not when locating the base object
of the search.
LDAP_DEREF_FINDING - aliases should be
dereferenced when locating the base object but not during the search.
LDAP_DEREF_ALWAYS - aliases should be dereferenced
always.
Returns a search result identifier or FALSE on error.
| 版本 | 说明 |
|---|---|
| 4.0.5 | Parallel searches support was added. |
| 4.0.2 |
The attrsonly, sizelimit,
timelimit and deref were
added.
|
The example below retrieves the organizational unit, surname, given name and email address for all people in "My Company" where the surname or given name contains the substring $person. This example uses a boolean filter to tell the server to look for information in more than one attribute.
Example #1 LDAP search
<?php
// $ds is a valid link identifier for a directory server
// $person is all or part of a person's name, eg "Jo"
$dn = "o=My Company, c=US";
$filter="(|(sn=$person*)(givenname=$person*))";
$justthese = array("ou", "sn", "givenname", "mail");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
echo $info["count"]." entries returned\n";
?>
jayleno at yahoo dot com (2013-05-15 18:28:20)
<?php
set_time_limit(30);
error_reporting(E_ALL);
ini_set('error_reporting', E_ALL);
ini_set('display_errors',1);
// config
$ldapserver = 'svr.domain.com';
$ldapuser = 'administrator';
$ldappass = 'PASSWORD_HERE';
$ldaptree = "OU=SBSUsers,OU=Users,OU=MyBusiness,DC=myDomain,DC=local";
// connect
$ldapconn = ldap_connect($ldapserver) or die("Could not connect to LDAP server.");
if($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldapuser, $ldappass) or die ("Error trying to bind: ".ldap_error($ldapconn));
// verify binding
if ($ldapbind) {
echo "LDAP bind successful...<br /><br />";
$result = ldap_search($ldapconn,$ldaptree, "(cn=*)") or die ("Error in search query: ".ldap_error($ldapconn));
$data = ldap_get_entries($ldapconn, $result);
// SHOW ALL DATA
echo '<h1>Dump all data</h1><pre>';
print_r($data);
echo '</pre>';
// iterate over array and print data for each entry
echo '<h1>Show me the users</h1>';
for ($i=0; $i<$data["count"]; $i++) {
//echo "dn is: ". $data[$i]["dn"] ."<br />";
echo "User: ". $data[$i]["cn"][0] ."<br />";
if(isset($data[$i]["mail"][0])) {
echo "Email: ". $data[$i]["mail"][0] ."<br /><br />";
} else {
echo "Email: None<br /><br />";
}
}
// print number of entries found
echo "Number of entries found: " . ldap_count_entries($ldapconn, $result);
} else {
echo "LDAP bind failed...";
}
}
// all done? clean up
ldap_close($ldapconn);
?>
kandsobrien at gmail dot com (2012-02-16 15:52:44)
I wanted to look up some information from various fields of our Active Directory LDAP server. I thought I would contribute the results of that research here:
<?php
/**************************************************
Bind to an Active Directory LDAP server and look
something up.
***************************************************/
$SearchFor="fred"; //What string do you want to find?
$SearchField="samaccountname"; //In what Active Directory field do you want to search for the string?
$LDAPHost = "10.10.10.10"; //Your LDAP server DNS Name or IP Address
$dn = "DC=whatever,DC=whatever"; //Put your Base DN here
$LDAPUserDomain = "@something.something"; //Needs the @, but not always the same as the LDAP server domain
$LDAPUser = "ldapuserid"; //A valid Active Directory login
$LDAPUserPassword = "passforuser";
$LDAPFieldsToFind = array("cn", "givenname", "samaccountname", "homedirectory", "telephonenumber", "mail");
$cnx = ldap_connect($LDAPHost) or die("Could not connect to LDAP");
ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3); //Set the LDAP Protocol used by your AD service
ldap_set_option($cnx, LDAP_OPT_REFERRALS, 0); //This was necessary for my AD to do anything
ldap_bind($cnx,$LDAPUser.$LDAPUserDomain,$LDAPUserPassword) or die("Could not bind to LDAP");
error_reporting (E_ALL ^ E_NOTICE); //Suppress some unnecessary messages
$filter="($SearchField=$SearchFor*)"; //Wildcard is * Remove it if you want an exact match
$sr=ldap_search($cnx, $dn, $filter, $LDAPFieldsToFind);
$info = ldap_get_entries($cnx, $sr);
for ($x=0; $x<$info["count"]; $x++) {
$sam=$info[$x]['samaccountname'][0];
$giv=$info[$x]['givenname'][0];
$tel=$info[$x]['telephonenumber'][0];
$email=$info[$x]['mail'][0];
$nam=$info[$x]['cn'][0];
$dir=$info[$x]['homedirectory'][0];
$dir=strtolower($dir);
$pos=strpos($dir,"home");
$pos=$pos+5;
if (stristr($sam, "$SearchFor") && (strlen($dir) > 8)) {
print "\nActive Directory says that:\n";
print "CN is: $nam \n";
print "SAMAccountName is: $sam \n";
print "Given Name is: $giv \n";
print "Telephone is: $tel \n";
print "Home Directory is: $dir \n";
}
}
if ($x==0) { print "Oops, $SearchField $SearchFor was not found. Please try again.\n"; }
?>
Jean-Loup (2012-02-01 18:27:34)
Example of parallel search :
<?php
$basedn=array('dmdName=users,dc=foo,dc=fr','dmdName=users,dc=bar,dc=com'); // two basedn
$filter='(&(objectClass=inetOrgPerson)(uid=*))'; // single filter
$attributes=array('dn','uid','sn');
$cnx = ldap_connect('localhost',389); // single connection
ldap_set_option($cnx, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($cnx,'uid=root,dc=foo,dc=fr','password'); // authentication on two BDB
ldap_bind($cnx,'uid=root,dc=bar,dc=com','password');
$search = ldap_search(array($cnx,$cnx),$basedn,$filter,$attributes); // search
// result
for($i=0;$i<count($search);$i++){
print_r(ldap_get_entries($cnx,$search[$i]));
print "\n";
}
?>
info at acpower dot biz (2011-09-19 03:07:29)
I'm a newbie, so I hope this helps some other newbie with a head scratcher...
This code returned an error of 'No Such Object':
<?php
$search = ldap_search ($ldapcon, "cn=admin,dc=acpower,dc=biz", "(filters)");
?>
I took out the cn, and magic! it works:
<?php
$search = ldap_search ($ldapcon, "dc=acpower,dc=biz", "(filters)");
?>
nick (2011-09-01 23:09:30)
Results from ActiveDirectory may be ordered by objectSid.
We can get all users for each page size by modify filter.
<?php
// ... connect to ldap
$lastsid='';
while (1) {
$filter = '(objectClass=user)';
if (strlen($lastsid)) {
list($v)=array_values(unpack('V',substr($lastsid,24))); // id for user.
$s = substr($lastsid,0,24).pack('V',1+$v); // next sid.
$s = preg_replace('/../','\\\\$0',bin2hex($s)); // escape for fiter
$filter = '(&'.$filter.'(objectSid>='.$s.'))'; // fiter for next entries.
}
$res = ldap_search($ldap,$basedn,$filter,array('objectSid','cn'));
if (!ldap_count_entries($ldap,$res)) {
break;
}
for ($ent=ldap_first_entry($ldap,$res); $ent; $ent=ldap_next_entry($ldap,$ent)) {
list($lastsid) = ldap_get_values_len($ldap,$ent,'objectSid');
}
}
?>
Arnold (2011-05-11 01:35:16)
I have been working on a script where I needed to get all the users who were member of a specific MS AD group. Because of PHP bug #42060 ( http://bugs.php.net/bug.php?id=42060 ) I could not get all the users back who were member of the group.
After googling for a day I found an article and a patch but it required that I downloaded the source code for php 5.1.6 or 5.2.10 run the patch and than recompile the code to fix the problem.
Problem was
1) I am not a Linux goeroe so I was not very comfortable doing this....
2) I am running the script on a production machine with other code using PHP and did not know what the consequence would bee for that code.
3) I could not update PHP anymore because in newer versions this patch would probably not work any more.
But yesterday I saw the light and wrote some code to get around this problem, maybe other people can use it that have the same problem.
<?PHP
$startFilter = "(&(memberOf=" .$ADGroup. "))";
$startResults = ldap_search($ldapconnect, $userBase, $startFilter, $attr);
$countResult = ldap_count_entries($ldapconnect,$startResults);
IF($countResult == 1000 OR $countResult == 1500)
{
// loop trough the number 97-122 (ASCII number for the characters a-z)
For($a=97;$a<=122;$a++)
{
// translate the number to a character
$character = chr($a);
// the new search filter withs returns all users with a last name starting with $character
$filter = "(&(sn=$character*)(memberOf=$ADGroup))";
$results = ldap_search($ldapconnect, $userBase, $filter, $attr);
$countResult2 = ldap_count_entries($ldapconnect,$results);
// See if the search for all users starting with a specific character still hits the search limit
// if so than do a new search to find all the users where the last name starts with "aa" and
// than with "ab", "ac" etc. etc
// In the best case we can now find 675.324 users per group when the search limit is 1000
// ((26 * 999 for the fist character) * 26 for the second character)
// and 1.013.324 when the search limit is 1500
If($countResult2 == 1000 or $countResult2 == 1500)
{
For($b=97;$b<=122;$b++)
{
$character2 = chr($b);
$filter2 = "(&(sn=$character$character2*)(memberOf=$ADGroup))";
$results2 = ldap_search($ldapconnect, $userBase, $filter2, $attr);
$count2 = ldap_count_entries($ldapconnect,$results2);
$entries2 = ldap_get_entries($ldapconnect,$results2);
// do your thing
}
}
Else
{
$entries = ldap_get_entries($ldapconnect,$results);
// do your thing
}
}
}
else
{
$entries = ldap_get_entries($ldapconnect,$startResults);
// do your thing
}
?>
David Fontanella (2010-01-26 06:39:31)
To get all attributes + special attributes:
<?php
ldap_search(..., $filter, array('*','createtimestamp','modifytimestamp'));
?>
* -> all attributes (normally requested by default)
+
the special attributes you want
ben _at_ onshop.co.uk (2010-01-19 14:11:43)
Following from my note of 11-Nov-2009 06:56 regarding DN issues when using LDAP instead of the Global Catalog when querying AD, further investigation was showing that although the results were in the packet, I was getting an error instead:
'Search: Can't contact LDAP server' AKA Error 81.
Using more detailed analysis:
ldap_get_option($ds,LDAP_OPT_ERROR_STRING,$error);
echo $error
Displayed:
Referral: ldap://DomainDnsZones.defg.de.bc.ac.uk/ DC=DomainDnsZonesDC=defg,DC=de,DC=abc,DC=ac,DC=uk
By using trial and error, the error went away and results returned when using:
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ben _at_ onshop_co_uk (2009-11-11 10:56:43)
When searching Active Directory, if you are not getting all the attributes back you are expecting such as AD system/hidden attributes such as 'employeeType' then check the following:
First, ensure you are not connecting to the Global Catalog port (e.g. 3269/3268). You need to connect to an LDAP port such as 636 (SSL) or 389 (non-SSL).
Second, check the DN you are binding with when changing from the Global Catalog port to an LDAP port. I found that a DN without an OU returned a 'Search: Can't contact LDAP server' error. For example this fails:
DC=defg,DC=de,DC=abc,DC=ac,DC=uk
Whilst adding the OU to the DN returned an error free result:
OU=FGH,DC=defg,DC=de,DC=abc,DC=ac,DC=uk
If you consequently need to interrogate multiple DNs then an array of DNs can be passed to ldap_search.
ben _at_ onshop_co_uk (2009-11-11 10:24:39)
Example to illustrate searching more than one DN (multiple DNs):
<?php
$ds=ldap_connect($ldapserver);
$dn[]='OU=ABC,DC=xyz,DC=ac,DC=uk';
$dn[]='OU=DEF,DC=xyz,DC=ac,DC=uk';
$id[] = $ds;
$id[] = $ds;
$filter = 'samaccountname='.$_POST['username'];
$result = ldap_search($id,$dn,$filter);
$search = false;
foreach ($result as $value) {
if(ldap_count_entries($ds,$value)>0){
$search = $value;
break;
}
}
if($search){
$info = ldap_get_entries($ds, $search);
}else{
$info = 'No results found';
}
?>
eugene at hutorny dot in dot ua (2009-10-24 23:35:26)
This function accepts LDAP search results and return a flat table (2-d array) with search results.
<?php
/*
* This function returns flat table out of search results
* $ad - a valid connection to Active Directory (returned by ldap_connect)
* $sr - a search result (returned by ldap_search)
* $key- an attribute name to be used as the key in the resulting array
* Returns 2-d array as the following:
* return_value["keyfieldvalue"]["attributename"] = "attribute value"; // entries with key filed present
* return_value[i]["attributename"] = "attribute value"; // entries with key fields missing
*/
function ldap_flatresults($ad,$sr,$key=false) {
for ($entry=ldap_first_entry($ad,$sr);
$entry!=false;
$entry=ldap_next_entry($ad,$entry)) {
$user = array();
$attributes = ldap_get_attributes($ad,$entry);
for($i=$attributes['count'];$i-- >0;) {
$user[strtolower($attributes[$i])] = $attributes[$attributes[$i]][0];
}
if( $key && $user[$key] )
$users[strtolower($user[$key])] = $user;
else
$users[] = $user;
}
return $users;
}
?>
rtdees at gapac dot com (2009-10-09 13:13:20)
As of today, I have found for me that ldap_search and ldap_list are reversed in functionality. ldap_list now searches the subtree and ldap_search does not. This is witnessed when searching against an AD forest running on Windows 2008 in what I believe is 2003 mode.
john dot saterfiel at act dot org (2009-09-29 10:10:47)
Here's an example of how to connect to an active directory (2003 windows ad tested). And retrieve a specific person's information when given only their username (sAMAccountName). Note: I have noticed that some active directory servers do care about what case the attributes are in and others don't. This site was very useful in looking up the AD attributes but I did have to lowercase them all to work for me.
Do a google search on "active directory person attributes" to find the site. www.computerperformance.co.uk
I doubt the code below will work for everybody as is but it should give ad users a good start in how to get a logged in user's data without knowing what organization or security group they're in. This was needed because my company didn't put all their users in the same organization.
<?PHP
$ldap_url = 'examplead.mycomp.com';
$ldap_domain = 'mycomp.com';
$ldap_dn = "dc=mycomp,dc=com";
$ds = ldap_connect( $ldap_url );
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$username = "your_user_name_here";
//must always check that password length > 0
$password = "your_password_here";
// now try a real login
$login = ldap_bind( $ds, "$username@$ldap_domain", $password );
echo '- Logged In Successfully<br/><br/>';
try{
$attributes = array("displayname", "mail",
"department",
"title",
"physicaldeliveryofficename",
"manager");
$filter = "(&(objectCategory=person)(sAMAccountName=$username))";
$result = ldap_search($ds, $ldap_dn, $filter, $attributes);
$entries = ldap_get_entries($ds, $result);
if($entries["count"] > 0){
//echo print_r($entries[$i],1)."<br />";
echo "<b>User Information:</b><br/>";
echo "displayName: ".$entries[0]['displayname'][0]."<br/>";
echo "email: ".$entries[0]['mail'][0]."<br/>";
echo "department: ".$entries[0]['department'][0]."<br/>";
echo "title: ".$entries[0]['title'][0]."<br/>";
echo "office: ".$entries[0]['physicaldeliveryofficename'][0]."<br/>";
//echo "manager: ".$entries[$i]['manager'][0]."<br/>";
$manager_result = ldap_search($ds,
$entries[0]['manager'][0],
'(objectCategory=person)',
array("displayname"));
$manager_entries = ldap_get_entries($ds, $manager_result);
if($manager_entries["count"] > 0){
echo "manager: ". $manager_entries[0]['displayname'][0];
}
}
}catch(Exception $e){
ldap_unbind($ds);
return;
}
ldap_unbind($ds);
echo '<br/><br/>- Logged Out';
?>
douglass_davis at earthlink dot net (2009-04-08 06:01:14)
A better ldap_escape, if you don't need nested filters such as those in the Pear package. Escapes for both filters and distinguished names.
<?php
function ldap_escape($str, $for_dn = false)
{
// see:
// RFC2254
// http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx
// http://www-03.ibm.com/systems/i/software/ldap/underdn.html
if ($for_dn)
$metaChars = array(',','=', '+', '<','>',';', '\\', '"', '#');
else
$metaChars = array('*', '(', ')', '\\', chr(0));
$quotedMetaChars = array();
foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.str_pad(dechex(ord($value)), 2, '0');
$str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
return ($str);
}
?>
beni at php dot net (2008-08-27 02:17:01)
Please note, that your example is not fully implementing filter escaping needs and is thus not safe for every case (see RFC 2254).
Filter stuff is also available in pears Net_LDAP: http://pear.php.net/manual/en/package.networking.net-ldap.filter.php
With this class you can easily create nested filters without worrying for escaping issues (those are handled by the class itnernally in a rfc compatible maner).
metala at metala dot org (2008-06-11 02:12:49)
// Escape string
// see: RFC2254
function ldap_escape($str){
$metaChars = array('\\', '(', ')', '#', '*');
$quotedMetaChars = array();
foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.dechex(ord($value));
$str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
return ($str);
}
chrisbloom7 at gmail dot com (2007-08-08 13:18:07)
Here are a couple of resources for proper construction of filters.
http://msdn2.microsoft.com/En-US/library/aa746475.aspx
http://technet.microsoft.com/en-us/library/aa996205.aspx
Before finding these I had been stumped for hours on how to do something like "all users starting with "a" except those from OU 'foo'"
beni at php dot net (2007-06-25 23:56:57)
LDAP stuff is very nicely capsulated in the object oriented Net_LDAP class provided by PEAR:
http://pear.php.net/package/net_ldap
lifo at liche dot net (2007-05-23 11:39:50)
When I discovered I couldn't get searches to work with complex strings (in my case searching on displayName which can have parens and slashes in it). I made this quick function to quote ldap strings in accordance with the RFC. Except I encode spaces as well since searching wouldn't work with spaces. Note, technically speaking a search filter can be encoded into the \xx format for all characters but then filters wouldn't be human readable.
I'm somewhat surprised there wasn't a built in ldap_quote() type of function already.
<?php
// see: RFC2254
function ldap_quote($str) {
return str_replace(
array( '\\', ' ', '*', '(', ')' ),
array( '\\5c', '\\20', '\\2a', '\\28', '\\29' ),
$str
);
}
?>
Allie (2007-03-06 14:38:02)
I just posted on the ldap_bind, but I figured it couldn't hurt here since this was the first place I stopped when trying to figure out my problem. My error pointed to ldap_search, but specifying the ldap_connect port was the fix.
When you want to search the entire directory for MS AD, you must specify port 3268 in your bind. This is also true for apache auth_ldap.
$ldapserver = ldap_connect($server,3268);
Alain SCHNERB (2007-03-05 05:44:59)
I had problem searching into Microsoft Active Directory
with ldap_search.
System administrator does not want to change the 1.000 limit
of returned result because of Domain Controler performance.
Here is a example of code that activates the Page Mode.
See "searching with ActiveX Data Objects (ADO)" on MSDN
for more details.
$connection = New COM("ADODB.Connection");
$commande = New COM("ADODB.Command");
$resultat = New COM("ADODB.Recordset");
$connection->Provider = "ADsDSOObject";
$connection->Open();
$commande->ActiveConnection = $connection ;
$commande->Properties["Cache results"] = false;
// ACTIVATE PAGE MODE
$commande->Properties["Page size"] = 1000;
$recherche1 = "<LDAP://OU=XXXX,OU=Ressources_Locales,DC=COMMUN,
DC=AD,DC=YYYY,DC=FR>";
$recherche2 = ";(&(objectCategory=group)
(sIDHistory=*));distinguishedname;subtree";
$commande->commandtext = $recherche1.$recherche2;
$resultat = $commande->Execute();
$count = 0;
while (!$resultat->eof())
{
if ($count<10)
echo $resultat["distinguishedname"]."<br>";
$resultat->MoveNext();
$count = $count +1;
}
echo $count."<br>";
cbrinker at contronicssolutions dot com (2007-01-23 02:18:50)
I was completely lost trying to setup LDAP access with a Windows Server 2003 environment, but I finally got it to work. Here's a lifesaving tip:
-Script/web server cannot be located on the Active Directory server that you are querying
As well, here's the sample code I used:
<?php
//This code cannot be executed on the same server as AD is installed on!!!
//Connect
$ad = ldap_connect("ad server");
//Set some variables
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
//Bind to the ldap directory
$bd = ldap_bind($ad,"user@domain.com","password")
or die("Couldn't bind to AD!");
//Search the directory
$result = ldap_search($ad, "OU=orginizational unit,DC=domain,DC=com", "(CN=*)");
//Create result set
$entries = ldap_get_entries($ad, $result);
//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}
//never forget to unbind!
ldap_unbind($ad);
?>
buhreen at shaw dot ca (2006-04-03 09:12:46)
If you are just trying to run LDAP searches against Active Directory, you might find it easier to use the COM objects and use the ADSI ldap search function. This allows you to use SQL based LDAP queries. It also allows you to perform subtree level searches in AD.
Here is a quick example.
<?php
$Conn = New COM("ADODB.Connection");
$RS = New COM("ADODB.Recordset");
$Conn->Provider = "ADsDSOObject";
$Conn->Properties['User ID'] = "CN=ZimZam,CN=Users,DC=corp,DC=ad,DC=bob,DC=prv";
$Conn->Properties['Password'] = "anythingyouwant";
$strConn = "Active Directory Provider";
$Conn->Open($strConn);
$strRS = "Select givenname,sn,displayName,mail,SAMAccountName from 'LDAP://corp.ad.bob.prv/DC=corp,DC=ad,DC=bob,DC=prv' where objectClass='user' and SAMAccountName='abc123';
$RS->Open($strRS, $Conn, 1, 1);
echo $RS['givenname'] ." - ". $RS['sn'] ." - ". $RS['displayName'] ." - ". $RS['mail'] ." - ". $RS['SAMAccountName'] ."<br>";
$RS->Close;
$Conn->Close;
?>
(2006-01-27 03:53:32)
HOWTO list LDAP users.
This CODE list one user from LDAP tree, but I' like list all user from LDAP one ou=Organization
<?php
$ldaprdn = 'cn=user,dc=domain,dc=org';
$ldappass = 'password';
$sdn = 'cn=user,ou=group,dc=domain,dc=org';
$ldapconn = ldap_connect("ldap://localhost", 389)
or die("Not connect: $ldaphost ");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
$filter="uid=*";
$justthese = array("uid");
$sr=ldap_read($ldapconn, $srdn, $filter, $justthese);
$entry = ldap_get_entries($ldapconn, $sr);
} else {
echo "LDAP conn ok...";
}
}
ldap_close($ldapconn);
?>
<?php
echo $entry[0]["mail"][0] . " mail adress ";
echo $entry[0]["sn"][0] . " Name ";
?>
cruzfern at chuchuwa dot com dot ar (2005-08-30 09:14:12)
The internal attributes (like createTimestamp, modifyTimestamp, etc), don't come by default (when the optional parameter attributes is not set). You have to specify it:
<?
$r=ldap_search($ds,$base,$filter,array("createTimestamp"));
?>
fmouse at fmp dot com (2005-03-01 10:53:27)
It appears that the Netscape Directory SDK (developer.netscape.com) referenced for LDAP filter information is no longer accepting connections. The A copy of RFC 2254 which defines the standard for string representations of LDAP filters can be found at http://www.ietf.org/rfc/rfc2254.txt
openldap at mail dot doris dot cc (2005-02-11 07:54:47)
PHP 4.3.10
I was trying to do an ldapsearch without a basedn. First, I tried with ' ', as suggested above, but it gave me invalid dn syntax error.
ie:
$sr=ldap_search($ds, ' ', $filter);
Warning: ldap_search(): Search: Invalid DN syntax in ...
Then I changed it to
$sr=ldap_search($ds, "", $filter);
Which gave me the following error:
Warning: ldap_search(): Search: No such object in ...
With that I then modified my ldap.conf file and commented out the BASE field
#BASE dc=example, dc=com
Then it worked!
So it looks like if you supply a blank basedn, then it will use your default basedn in ldap.conf.
rsu_friend at yahoo dot com (2005-02-11 01:03:22)
I was doing a ldap_search with
$searchbasedn = "miDomainName=" . $_SESSION['selectDomain'] ."," . LDAP_DOMAINBASE;
$filter = "(&(mpsAccountNumber=". $acctNumber .")(objectclass=mpsAccountDetails))";
$attributes = array("mpsparentchild");
$sr = ldap_search($ldapconn, $searchbasedn, $filter,$attributes);
For some reasone this search was failing
but I was able to do successful search only when I gave the search filter as
$filter = "(&(mpsAccountNumber= $acctNumber )(objectclass=mpsAccountDetails))";
I did not get why the ldap_search was not able to search in the first case.
sema at technion dot ac dot il (2004-09-04 10:54:42)
In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0:
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
Without this, you will get "Operations error" if you try to search the whole AD schema (using root of the domain as a $base_dn).
As opposed to Windows 2000 Server, where this option was optional and only increased the performance.
chester at the dot underground dot com dot au (2003-11-20 01:45:31)
If you are searching active directory and are experiencing lag or time outs, it may be that you are being given ldap referrals from the ldap server. The following code will disable this.
<?
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
?>
sembiance at cosmicrealms dot com (2003-11-16 18:15:02)
When searching for BINARY data (such as an Active Directory objectGUID) you need to escape each hexadecimal character with a backslash.
The following command line run of ldapsearch shows:
ldapsearch -b "dc=blahblah,dc=com" "(objectGUID=\AE\C3\23\35\F7)"
In PHP, you need to escape the escape for the backslash:
ldap_search($ds,"dc=blahblah,dc=com", "(objectGUID=\\AE\\C3\\23\\35\\F7)");
francis dot tyers at hp dot com (2003-11-10 07:53:40)
it seems that all fields must be used in lower case even if they are mixed case in the ldapsearch output.
example:
gidNumber: 1010
homeDirectory: /home/dnt
must be:
echo "gid: " . $info[$i]["gidnumber"][0] . "<br>";
echo "home directory: ". $info[$i]["homedirectory"][0] ."<br>";
not ( $info[$i]["homeDirectory"][0] ) etc.
nicolas at atanis dot net (2003-08-19 11:17:58)
Here is a little script that make a complete subtree search ( i know a script above seems do that but it doesnt work fine)
This is my version:
Voila ce que j'ai fait aujourd'hui ...
$ldap_host = "192.168.0.50";
$ldap_port = "389";
$base_dn = "dc=fr";
$filter = "(cn=*)";
$ldap_user ="cn=admin,dc=fr";
$ldap_pass = "hellodelu";
$connect = ldap_connect( $ldap_host, $ldap_port);
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass);
$read = ldap_search($connect, $base_dn, $filter);
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entrees retournees<BR><BR>";
for($ligne = 0; $ligne<$info["count"]; $ligne++)
{
for($colonne = 0; $colonne<$info[$ligne]["count"]; $colonne++)
{
$data = $info[$ligne][$colonne];
echo $data.":".$info[$ligne][$data][0]."<BR>";
}
echo "<BR>";
}
ldap_close($connect);
--------
nicolas
me at gavinadams dot org (2003-08-15 13:38:59)
Minor clarification on AD LDAP searchs. Small typo in previous example, and does not display multiple values per attribute. Here's the for loop to enumerate all entries, attributes, and values:
$bind = ldap_bind($connect) // asume anon connect or add user/pass
or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<br>";
// $i = entries
// $ii = attributes for entry
// $iii = values per attribute
for ($i = 0; $i<$info["count"]; $i++) {
for ($ii=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
for ($iii=0; $iii<$info[$i][$data]["count"]; $iii++) {
echo $data.": ".$info[$i][$data][$iii]."<br>";
}
}
echo "<p>"; // separate entries
php @ fccfurn dot com (2003-04-11 15:35:35)
To do subtree search from top DN in Active Directory, Make sure you do your ldap_set_option().
<?php
$ldap_host = "pdc.php.net";
$base_dn = "DC=php,DC=net";
$filter = "(cn=Joe User)";
$ldap_user = "CN=Joe User,OU=Sales,DC=php,DC=net";
$ldap_pass = "pass";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit(">>Could not connect to LDAP server<<");
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<p>";
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
echo $data.": ".$info[$i][$data][0]."<br>";
}
ldap_close($connect);
?>
Kamil Kukura <kamk at nexen dot cz> (2003-02-26 09:20:33)
When I tried to search with empty base DN on OpenLDAP server which had "" namingContext I got result "no such object". In the log file there was query for dn: dc=example,dc=com (!).
As a workaround, it seems it's enough to feed it with space (' ') as base DN - ldap_search($ds, ' ', '(...filter...)', ...
neumeyed at city dot bloomington dot in dot us (2003-01-29 16:50:02)
A previous comment noted: "I've also noticed that the departmentNumber, employeeNumber (and maybe others in inetorgperson.schema) are not returned from a search."
This is incorrect. These attributes are returned, but you must reference them with lowercase names. That is, instead of doing this:
$entries[0]["departmentNumber"][0]
Do this:
$entries[0]["departmentnumber"][0]
This doesn't seem like "correct" behavior to me, but I don't know enough about LDAP to say for sure.
nick dot veitch at futurenet dot co dot (2003-01-17 08:59:46)
It might be useful to list here the operators that work:
= - matches exact value
=*xxx - matches values ending xxx
=xxx* - matches values beginning xxx
=*xxx* - matches values containing xxx
=* - matches all values (if set - NULLS are not returned)
>=xxx - matches everthing from xxx to end of directory
<=xxx - matches everything up to xxx in directory
~=xxx - matches similar entries (not all systems)
Boolean operators for constructing complex search
&(term1)(term2) - matches term1 AND term2
| (term1)(term2) - matches term1 OR term2
!(term1) - matches NOT term1
&(|(term1)(term2))(!(&(term1)(term2)) - matches XOR term1 term2
some of the more compelx constructions seem to work with varying degrees of efficiency - sometimes it can be better to filter some of the results with the search and do further filtering in PHP.
emrecio at netscape dot net (2002-09-30 20:42:34)
implode(", ",$uentry[0]["rfc822mailalias"]);
doesn't work as expected because "count" is in there... one /must/ use the 'for' loop to cycle through results (discarding "count" element).
jpdalbec at ysu dot edu (2002-09-09 07:33:56)
I've found that spaces need to be escaped in search filters ("\20"), at least using the Red Hat PHP 4.1.2 package. Otherwise no results are returned.
john_taylor_1973 at yahoo dot com (2002-06-27 14:26:42)
Try to use ldap_list(), if possible. It is much faster. ldap_search searches a scope of LDAP_SCOPE_SUBTREE, but ldap_list searches a scope of just LDAP_SCOPE_ONELEVEL. This made a big difference on Novell eDirectory 8.6.1, even for a query that only returned 130 objects. Using an attribute list, the 4th function parameter (of either function), also made queries faster.
(2001-08-31 19:13:59)
I used the following to retrieve all entries from an ILS (Netmeeting) Server:<p> $sr=ldap_search($ds, "objectclass=rtperson","(&(cn=%)(objectclass=rtperson))");
<p>Have fun!
<p>Kees
cdaveb at csua dot berkeley dot edu (2001-01-02 17:23:59)
FYI, for those doing LDAP searches on Exchange servers, there seems to be some preference in Exchange to disallow searches that aren't initial searches (i.e. only x* will work, not * or *x). I'd been going nuts trying to figure out why I kept getting errors doing * searches.
More info at:
http://www.microsoft.com/Exchange/en/55/help/documents/server/XOG16007.HTM
aa529 at nospamchebucto dot ns dot ca (1999-11-22 01:27:10)
Be careful of special characters when generating filters from user input.
*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC 2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)