PHP LDAP search issue -


i'm trying first time use ldap in php code. want determine if member of particular ad group.

i've cobbled code other examples , runs without error, indicates 0 results, when user in fact member of group.

here code:

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, ldap_opt_referrals, 0) or die('unable set ldap opt referrals'); ldap_set_option($conn, ldap_opt_protocol_version, 3) or die('unable set ldap protocol version');  if ($conn) {     $dn = "dc=domain,dc=local";      // if (!($ldapc=ldap_bind($conn,'cn=username,cn=users,dc=domain,dc=local','p@ssw0rd'))) {      if (!($ldapc=ldap_bind($conn,'username@domain.local','n0tmyp@ssw0rd'))) {  

is full cn=,dc=, etc or @domain.local preferred method here?

also, assuming searches performed membership against user authenticated ldap_bind()?

code continues:

    echo "<p>error:" . ldap_error($conn) . "</p>";      echo "<p>error number:" . ldap_errno($conn) . "</p>";      echo "<p>error:" . ldap_err2str(ldap_errno($conn)) . "</p>";      die;     }       $attributes = array("memberof");     $filter = "(memberof=mygroup,ou=application security,dc=domain,dc=local)";     $result = ldap_search($conn, $dn, $filter, $attributes);      echo $result."<br />";     $info = ldap_get_entries($conn, $result);     echo $info["count"]." entries returned.\n";      ($i=0; $i < $info["count"]; $i++) {         echo $info[$i]["ou"][0];     } } else {     echo "<h4>unable connect ldap server</h4>"; }  ldap_unbind($conn); 

edit: after suggestions below, able working expected. here final working code benefit...

$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, ldap_opt_referrals, 0) or die('unable set ldap opt referrals'); ldap_set_option($conn, ldap_opt_protocol_version, 3) or die('unable set ldap protocol version'); if ($conn) {     $dn = "dc=domain,dc=local";     if (!($ldapc=ldap_bind($conn,'cn=administrator,cn=users,dc=domain,dc=local','password'))) {          echo "<p>error:" . ldap_error($conn) . "</p>";          echo "<p>error number:" . ldap_errno($conn) . "</p>";          echo "<p>error:" . ldap_err2str(ldap_errno($conn)) . "</p>";          die;     }       $filter = "(memberof=cn=dashboard,ou=application security,dc=domain,dc=local)";     $result = ldap_search($conn, $dn, $filter);     // $attributes = array('samaccountname');     //$result = ldap_search($conn, $dn, $filter, $attributes);     $info = ldap_get_entries($conn, $result);     echo $info["count"]." entries returned.<br />";     ($i=0; $i < $info["count"]; $i++) {         echo $i . " " . $info[$i]["samaccountname"][0] . "<br />";     } } else {     echo "<h4>unable connect ldap server</h4>"; } ldap_unbind($conn); 

personally prefer cn=... way bind directory it's universal. username@domain-version works on ad.

and user binds directory not user looking groups for user looking information with.

so when user binding ldap-server doesn't have right see group information won't have luck. on other hand if you'd need login user looking group-memberships retrieve group-memberships when know password of user. taht bit strange, wouldn't it?

and user binding ldap-server has have read-permission ldap-server possible use anonymous bind without need real user bind. omit user , password-fields on ldap_bind. depends on setup of server.

to number of results returned query can use ldap_count_entries($connectionhandle, $resulthandle)-function assume there issue in search-filter.

the search-filter has contain query. in case give string don't tell ldap-server wwhich field map against. filter looks ike this: <fieldname>=<querystring>. in case memberof=cn=mygroup,ou=application security,dc=domain,dc=local. difference being group identified it's complete dn (i assume here) cn=mygroup,ou=application security,dc=domain,dc=local - you'll have verify that!

the query return all users member of role. , return memberof-attribute of users know already. should either leave $attributes empty or use ['cn', 'samacountname', 'mail'] cn, users id , email-address returned.

in second step have check whether user looking in returned array.

alternatively search vor user (filter mail=<email-address> or samacountname=<user-id> , memberof value returned. have whether required group 1 of ones in memberof-entry.

scared? didn't understand it? don't worry. ask!


Comments

Popular posts from this blog

css - SVG using textPath a symbol not rendering in Firefox -

Java 8 + Maven Javadoc plugin: Error fetching URL -

datatable - Matlab struct computations -