Active Directory

I've been playing around with PHP and ldap queries for a while. I have been able to search for users in our Active Directory just fine.

What I can't seem to figure out is how to list all members of a particular group. Does any one know how to do this?

LDAP://CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org

I can do a search for ta.timekeeper, but I have no idea how to list the members in that group.

Mark

what do you mean by list members? can you post your structure of how you have it layed out and I can get a better idea of what to work with.

Well this is in Active Directory so I really don't know the structure of it. I do know that it's a Organizational Unit called 'Security Groups' and that is where we keep all our active directory groups. In there, there is a 'ta.timekeeper' group that has many users assigned to it. I would like to list those users that are in the ta.timekeeper group.

The Security Groups it right off the root. So LDAP reads from right to left, it would be....

ta.timekeeper, security groups, domain, org

Is that what you ask for?

PS.
I'm still very new to accessing AD from out side of Windows. I can do this in kixtart script, I just want to learn how to do it on my Linux box so that I may make a web page for the timekeeper managers.

Mark

I don't use AD so some of this maybe wrong, but I believe you'd just search for the group like:

(CN=CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org)

or something like that, how are the users assigned? is there a field in there entry with the dn of the group there are assigned to? if so the above should work if not I need more info.

You need to specify the attribute that you want returned - in this case member ...

For instance - if you did a command line ldapsearch it would look something like this:

ldapsearch -b "dc=corp,dc=comp,dc=com" -h server -p port -D "user" -w password -v (cn=ta.timekeeper*) member

which would return all the members of any group that started with a cn of ta.timekeeper ...

OK,
here is what I have so far. I'm able to get one user but thats it.




I get one user listed, but I should have over 100

Yes with that code you will only get one entry, you are searching the single entry "cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org"

try chaning $dn to:


and $filter to:


might need to be ajusted

Thanks,
I'll give it a shot tomorrow at work.

well if it doesn't work I won't be around till monday so you can either wait or maybe someone else can help you

LDAP4U,
I tried what you wrote the other day and was unable to get that comand to work. It would complain about a ')' in the command. So I wrote this...

ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper"

Which gave me the list I wanted


Here is a snip from the output ...
member: CN=Guzzo\, Mark,OU=Users,OU=Network Ops,OU=IT,DC=global,DC=shsystem,DC
=org

I see the attribute "member" listed, but from the command above how did it know to list the member attribute? I've tried it the way you posted it, but it does not work.

I know I'm a LDAP newbee, but for the past two weeks I've been really trying to understand the ldapsearch / filter stuff ,but I must be trying too hard

Sorry about that command I gave you - it should work if you replace the () around the filter with "".

When you don't specify member at the end of that query it will return all of the attributes present for the entry - meaning you probably got quite a few that you didn't want as well.

If you take your command that works and append a space then the word member you should get only the member attribute in combination with the dn ....

If you wanted to specify additional attributes to return you would type another space and the next attribute.

Using your example this would look like:

ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper" member cn

Which would return all the member attributes as well as the cn attribute ....

Hope this helps ...

That works great! Thanks

But I'm having a problem puting that in PHP. From what I can tell the following code DOES work, it finds the ta.timekeeper group, but I don't know how to pull the info from it.



If I make the filter "(cn=ta*)" I'll get as an output 3 results, and that how many groups we have that start with "ta". So I know that it finds the group in question, just how do I list the members as in the command line ldapsearch?

ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta*" member

Yea, that works.

But I'm have a big problem not being able to put that into PHP.
I always seem to get one listing. It's like at the first sign of "ta.timekeeper" it stops looking.

Sorry - I didn't fully read your other post ...

I don't know anything about PHP - but you should expect that member values will all be returned at once - so the values should be arrayed ... I think you are doing that - but I can't tell for sure. You may want to try the phrase "php multi-valued attributes" in a Google search

Maybe this helps?

http://www.ldapzone.com/perl_python_php.html

Maybe it doesn't ...