Menu
How can i check if a user is part of a group using php_ldap module?
I'm completely new to ldap and hence a bit confused...
With googling I've come up with this so far:
$ds=ldap_connect($ldapHost, $ldapPort);
if ($ds) {
$r=ldap_bind($ds, $ldapRdn, $ldapPassword);
$filter = "(sAMAccountName=" . $uid . ")";
$attr = array("memberof");
$result = ldap_search($ds, $ldapDN, $filter, $attr) or exit("Unable to search LDAP server");
I'm not sure if this is correct as it was taken form soemthign specific for AD. The problem seem to be $ldapDN. This is what i search for right? My groups "definition" is:
cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM
How can I do this check?
EDIT:
Here is my solution found with help of "Accepted Answer" and trial & error". I think the answer depends greatly on your specific system.
//This is the User group DN
$ldapDN = "cn=User,ou=Profiles,ou=App_DEV,ou=ApplicationRights,O=MyCompany.COM";
$filter = "(uniqueMember=uid=" . $uid . ",ou=Users,O=MYCOMPANY.COM)";
$attr = array('uniqueMember');
$result = ldap_search($ldapConnection, $ldapDN, $filter, $attr):
$entries = ldap_get_entries($ldapConnection, $result);
ldap_unbind($ldapConnection);
return intval($entries["count"]) > 0;
714
MemberOf is an LDAP AttributeType where the value is the DN of an LDAP Entry is the Group that the current LDAP Entry is a member in a Group and is referred to as a Forward Reference. ( or Virtual Attribute)
You can try and check it with extension_loaded() like this: $builtWithLdap = extension_loaded('ldap'); or alternativly as a crowbar approach, just check if one of the functions exists: $builtWithLdap = function_exists('ldap_add');
Membership information is usually stored in the group - in the form of the 'member' or 'memberUid' attribute. 'member' represents the full DN (distinguished name) of the member object, and would look something like 'uid=username,ou=users,dc=example,dc=com'. In the case of memberUid, the value would simply be 'username'.
The way to figure out which is being used in your directory is to analyze a group using something like Apache Directory Studio.
In addition to the 'member' attribute, AD stores a memberOf attribute in the user's record which contains the DN of the group. But most directories don't do this, which is probably why your code isn't working.
What you're looking for is a filter like this:
// & means "And" the next sibling items:
// so "find items that have the objectClass of group and a member whose DN is user_dn
(&(objectClass=group)(member=[user_dn]))
or
(&(objectClass=group)(memberUid=[user_uid]))
So in your case
$result = ldap_search(
$ds,
'dc=mycompany,dc=com', // The base from which to start your search. (could be an OU too, like 'ou=restricted,dc=mycompany,dc=com')
'(&(objectClass=group)(member=uid=tom,ou=users,dc=mycompany,dc=com))'
);
Or if your groups go by memberUid, you would change the filter to
$filter = '(&(objectClass=group)(memberUid=username))';
$result should then contain a list of group records that have 'username' as a member.
101
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
