How can I exclude specific folders under the LDAP domain with CodeIgniter and the adLDAP v2.1 library

Question

I'm performing a search on my LDAP server using adLDAP and CodeIgniter. What I want to search is basically accounts that have been deactivated from the LDAP server. In my PHP code I have the following to call the adLDAP library:

        $searchCriteria = array(
            "givenname"       => $values['givenName'],
            "sn"              => $values['sn'],
            "title"           => $values['title'],
            "mail"            => $values['mail'],
            "telephonenumber" => $values['telephonenumber'],
         );

//         echo "<pre>"; print_r($searchCriteria); echo "</pre>";

         // create the search filter
         $noOfFieldsSet = 0;
         $searchFilterA = '(objectClass=user)(samaccounttype='. ADLDAP_NORMAL_ACCOUNT .')(objectCategory=person)';
         $searchFilterB = '';
         foreach ($searchCriteria AS $key => $value)
         {
            if ($value)
            {
               $searchFilterB .= "(".$key."=".$wildcard.$value."*)";
               ++$noOfFieldsSet;
            }
         }
         // We perform a logical AND  or OR (depending on $logic) on all
         // specified search criteria to create the final search filter: 
         if ($logic == "&")
         {
            $searchFilter = "(".$logic." ".$searchFilterA.$searchFilterB.")";
         }
         else // logic = OR
         {
            $searchFilter = "(& ".$searchFilterA."(".$logic." ".$searchFilterB."))";
         }

//         echo $searchFilter."<br>";

         // define what attributes we want to get
         $attribs = array("displayname", "samaccountname", "mail", "telephonenumber", "title", "physicaldeliveryofficename");
         $resultEntries = $this->ad_ldap->search_directory($searchFilter, $attribs);

and then in this last line, the function ad_ldap->search directory from the adLDAP library is called, this function :

   function search_directory($filter, $fields, $sorted = true)
   {
      if ( ! $this->_bind)
         return (false);

      $sr = ldap_search($this->_conn, $this->_base_dn, $filter, $fields);
      $entries = ldap_get_entries($this->_conn, $sr);

//      echo "<pre>"; print_r($entries); echo "</pre>";

      return $entries;
   }

This is how my LDAP tree structure looks like :

I would like to know how can I exclude those directories (pointed by the black arrow) and the other Inactive folder inside of the other "users" folder below that one.

The thing I'm not sure here is how to exclude directories or specify directories that I would like to get excluded.

Any help would be appreciated.

Answer 1

You should add an exclusion filter to $searchFilterB:

$searchFilterA = '(objectClass=user)(samaccounttype='. ADLDAP_NORMAL_ACCOUNT .')(objectCategory=person)';
$searchFilterB = '(!(UserAccountControl:1.2.840.113556.1.4.803:=2))';

This is AD-specific query language saying: find all accounts that do not have the UF_ACCOUNTDISABLED flag on (which you can edit in AD user control by flipping the disabled switch).