PHP LDAP search issue -
i'm trying first time use ldap in php code. want determine if member of particular ad group.
i've cobbled code other examples , runs without error, indicates 0 results, when user in fact member of group.
here code:
$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, ldap_opt_referrals, 0) or die('unable set ldap opt referrals'); ldap_set_option($conn, ldap_opt_protocol_version, 3) or die('unable set ldap protocol version'); if ($conn) { $dn = "dc=domain,dc=local"; // if (!($ldapc=ldap_bind($conn,'cn=username,cn=users,dc=domain,dc=local','p@ssw0rd'))) { if (!($ldapc=ldap_bind($conn,'username@domain.local','n0tmyp@ssw0rd'))) {
is full cn=,dc=, etc or @domain.local preferred method here?
also, assuming searches performed membership against user authenticated ldap_bind()?
code continues:
echo "<p>error:" . ldap_error($conn) . "</p>"; echo "<p>error number:" . ldap_errno($conn) . "</p>"; echo "<p>error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $attributes = array("memberof"); $filter = "(memberof=mygroup,ou=application security,dc=domain,dc=local)"; $result = ldap_search($conn, $dn, $filter, $attributes); echo $result."<br />"; $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.\n"; ($i=0; $i < $info["count"]; $i++) { echo $info[$i]["ou"][0]; } } else { echo "<h4>unable connect ldap server</h4>"; } ldap_unbind($conn);
edit: after suggestions below, able working expected. here final working code benefit...
$hostname="192.168.1.1"; $conn=ldap_connect($hostname, 389); ldap_set_option ($conn, ldap_opt_referrals, 0) or die('unable set ldap opt referrals'); ldap_set_option($conn, ldap_opt_protocol_version, 3) or die('unable set ldap protocol version'); if ($conn) { $dn = "dc=domain,dc=local"; if (!($ldapc=ldap_bind($conn,'cn=administrator,cn=users,dc=domain,dc=local','password'))) { echo "<p>error:" . ldap_error($conn) . "</p>"; echo "<p>error number:" . ldap_errno($conn) . "</p>"; echo "<p>error:" . ldap_err2str(ldap_errno($conn)) . "</p>"; die; } $filter = "(memberof=cn=dashboard,ou=application security,dc=domain,dc=local)"; $result = ldap_search($conn, $dn, $filter); // $attributes = array('samaccountname'); //$result = ldap_search($conn, $dn, $filter, $attributes); $info = ldap_get_entries($conn, $result); echo $info["count"]." entries returned.<br />"; ($i=0; $i < $info["count"]; $i++) { echo $i . " " . $info[$i]["samaccountname"][0] . "<br />"; } } else { echo "<h4>unable connect ldap server</h4>"; } ldap_unbind($conn);
personally prefer cn=...
way bind directory it's universal. username@domain
-version works on ad.
and user binds directory not user looking groups for user looking information with.
so when user binding ldap-server doesn't have right see group information won't have luck. on other hand if you'd need login user looking group-memberships retrieve group-memberships when know password of user. taht bit strange, wouldn't it?
and user binding ldap-server has have read-permission ldap-server possible use anonymous bind without need real user bind. omit user , password-fields on ldap_bind
. depends on setup of server.
to number of results returned query can use ldap_count_entries($connectionhandle, $resulthandle)
-function assume there issue in search-filter.
the search-filter has contain query. in case give string don't tell ldap-server wwhich field map against. filter looks ike this: <fieldname>=<querystring>
. in case memberof=cn=mygroup,ou=application security,dc=domain,dc=local
. difference being group identified it's complete dn (i assume here) cn=mygroup,ou=application security,dc=domain,dc=local
- you'll have verify that!
the query return all users member of role. , return memberof
-attribute of users know already. should either leave $attributes
empty or use ['cn', 'samacountname', 'mail']
cn, users id , email-address returned.
in second step have check whether user looking in returned array.
alternatively search vor user (filter mail=<email-address>
or samacountname=<user-id>
, memberof
value returned. have whether required group 1 of ones in memberof
-entry.
scared? didn't understand it? don't worry. ask!
Comments
Post a Comment