Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to retrieve user info fra a Active Directory Security Group using LDAP and PHP

As you can see below I'm not getting any user info when I do a LDAP search to the security group. I want to use the $_SERVER[remote_user] to check if the user is a member of this group. I would also like to retrieve the info of this user and update the sql database with it. Is this possible?

$dn = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter = "(member=*)";

$ad = ldap_connect("IP") or die("Couldn't connect to AD!");
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind( $ad, "[email protected]", "password") or die("Can't bind to server.");
$sr = ldap_search($ad,$dn,$filter);
$entries = ldap_get_entries($ad, $sr);

print_r($entries);

Returns this:

Array
(
    [count] => 1
    [0] => Array
        (
            [objectclass] => Array
                (
                    [count] => 2
                    [0] => top
                    [1] => group
                )

            [0] => objectclass
            [cn] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [1] => cn
            [description] => Array
                (
                    [count] => 1
                    [0] => Group for (LDAP) INTRANET server access
                )

            [2] => description
            [member] => Array
                (
                    [count] => 4
                    [0] => CN=Fname1 Lname1,OU=Mail enabled users,OU=Aberdeen,DC=mydomain,DC=local
                    [1] => CN=Fname2 Lname2,OU=Mail enabled users,OU=Forres,DC=mydomain,DC=local
                    [2] => CN=Fname3 Lname3,OU=Houston,DC=mydomain,DC=local
                    [3] => CN=Fname4 Lname4,OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local
                )

            [3] => member
            [distinguishedname] => Array
                (
                    [count] => 1
                    [0] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
                )

            [4] => distinguishedname
            [instancetype] => Array
                (
                    [count] => 1
                    [0] => 4
                )

            [5] => instancetype
            [whencreated] => Array
                (
                    [count] => 1
                    [0] => 20100711172407.0Z
                )

            [6] => whencreated
            [whenchanged] => Array
                (
                    [count] => 1
                    [0] => 20100712063949.0Z
                )

            [7] => whenchanged
            [usncreated] => Array
                (
                    [count] => 1
                    [0] => 17491499
                )

            [8] => usncreated
            [usnchanged] => Array
                (
                    [count] => 1
                    [0] => 17498823
                )

            [9] => usnchanged
            [name] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [10] => name
            [objectguid] => Array
                (
                    [count] => 1
                    [0] =>
                )

            [11] => objectguid
            [objectsid] => Array
                (
                    [count] => 1
                    [0] =>
                )

            [12] => objectsid
            [samaccountname] => Array
                (
                    [count] => 1
                    [0] => Intra
                )

            [13] => samaccountname
            [samaccounttype] => Array
                (
                    [count] => 1
                    [0] => 268435456
                )

            [14] => samaccounttype
            [grouptype] => Array
                (
                    [count] => 1
                    [0] => -2147483646
                )

            [15] => grouptype
            [objectcategory] => Array
                (
                    [count] => 1
                    [0] => CN=Group,CN=Schema,CN=Configuration,DC=mydomain,DC=local
                )

            [16] => objectcategory
            [count] => 17
            [dn] => CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local
        )

)

Everything worked fine when I used the normal DN:

$dn = "OU=Mail enabled users,OU=Bergen,DC=mydomain,DC=local";

But a AD expert told me this was a big NO-NO and that I should use Security Groups instead :\

like image 510
horgen Avatar asked Oct 26 '22 11:10

horgen


1 Answers

Query the AD like this:

$dn       = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter   = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr       = ldap_search($ad, $dn, $filter);

Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.

Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN through an escaping mechanism before using it in the filter string!

Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.

like image 76
Tomalak Avatar answered Oct 29 '22 16:10

Tomalak