LDAP Programming
 
Forums: » Register « |  User CP |  Games |  Calendar |  Members |  FAQs |  Sitemap |  Support | 
User Name:
Password:
Remember me
Go Back   Dev Shed ForumsDatabasesLDAP Programming

Reply
Add This Thread To:
  Del.icio.us   Digg   Google   Spurl   Blink   Furl   Simpy   Y! MyWeb 
Thread Tools Search this Thread Rate Thread Display Modes
 
Unread Dev Shed Forums Sponsor:
  #1  
Old January 21st, 2004, 12:26 PM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Question Active Directory

I've been playing around with PHP and ldap queries for a while. I have been able to search for users in our Active Directory just fine.

What I can't seem to figure out is how to list all members of a particular group. Does any one know how to do this?

LDAP://CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org

I can do a search for ta.timekeeper, but I have no idea how to list the members in that group.

Mark

Reply With Quote
  #2  
Old January 21st, 2004, 12:34 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Psycho Canadian
Dev Shed Demi-God (4500 - 4999 posts)
 
Join Date: Jan 2001
Location: Canada
Posts: 4,793 Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level) 
Time spent in forums: 4 Weeks 23 h 3 m 24 sec
Reputation Power: 437
what do you mean by list members? can you post your structure of how you have it layed out and I can get a better idea of what to work with.
__________________
Miscellaneous Software
Viper_SB
Developershed E-Support


Anyone else play chess?
Challenge me

Reply With Quote
  #3  
Old January 21st, 2004, 12:52 PM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Well this is in Active Directory so I really don't know the structure of it. I do know that it's a Organizational Unit called 'Security Groups' and that is where we keep all our active directory groups. In there, there is a 'ta.timekeeper' group that has many users assigned to it. I would like to list those users that are in the ta.timekeeper group.

The Security Groups it right off the root. So LDAP reads from right to left, it would be....

ta.timekeeper, security groups, domain, org

Is that what you ask for?

PS.
I'm still very new to accessing AD from out side of Windows. I can do this in kixtart script, I just want to learn how to do it on my Linux box so that I may make a web page for the timekeeper managers.

Mark

Reply With Quote
  #4  
Old January 21st, 2004, 01:02 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Psycho Canadian
Dev Shed Demi-God (4500 - 4999 posts)
 
Join Date: Jan 2001
Location: Canada
Posts: 4,793 Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level) 
Time spent in forums: 4 Weeks 23 h 3 m 24 sec
Reputation Power: 437
I don't use AD so some of this maybe wrong, but I believe you'd just search for the group like:

(CN=CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org)

or something like that, how are the users assigned? is there a field in there entry with the dn of the group there are assigned to? if so the above should work if not I need more info.

Reply With Quote
  #5  
Old January 21st, 2004, 01:28 PM
ldap4u's Avatar
ldap4u ldap4u is offline
Chris Larivee
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Location: Littleton, CO
Posts: 72 ldap4u User rank is Private First Class (20 - 50 Reputation Level)ldap4u User rank is Private First Class (20 - 50 Reputation Level) 
Time spent in forums: 1 h 49 m 14 sec
Reputation Power: 6
Send a message via MSN to ldap4u
You need to specify the attribute that you want returned - in this case member ...

For instance - if you did a command line ldapsearch it would look something like this:

ldapsearch -b "dc=corp,dc=comp,dc=com" -h server -p port -D "user" -w password -v (cn=ta.timekeeper*) member

which would return all the members of any group that started with a cn of ta.timekeeper ...

Reply With Quote
  #6  
Old January 21st, 2004, 04:24 PM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
OK,
here is what I have so far. I'm able to get one user but thats it.




I get one user listed, but I should have over 100

PHP Code:
<?php
// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection
// using ldap bind
$ldaprdn  'global\my-user-id';    // ldap rdn or dn
$ldappass 'password';  // associated password
// connect to ldap server
$ldapconn ldap_connect("10.0.2.223")
   or die(
"Could not connect to LDAP server.");

echo 
"<h3>LDAP query test 1</h3>";
echo 
"Connecting ...";
echo 
"connect result is ".$ldapconn."<p>";

if (
$ldapconn) {
   
// binding to ldap server
   
$ldapbind ldap_bind($ldapconn$ldaprdn$ldappass);

   
// verify binding
   
if ($ldapbind) {
       echo 
"LDAP bind successful...";
       echo 
"Binding ..."
       echo 
"Bind result is ".$ldapbind."<p>";
    }
    
$dn "cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org";
    
$attributes = array("member""l");
    
$filter "(cn=*)";
    
ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
    
$result ldap_search($ldapconn$dn$filter$attributes);
    
$entries ldap_get_entries($ldapconn$result);
    for (
$i=0$i<$entries["count"]; $i++) {
        echo 
$entries[$i]["member"]
        [
0]."(".$entries[$i]["l"][0].")<br />";
    }    
}
?>

Reply With Quote
  #7  
Old January 21st, 2004, 05:08 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Psycho Canadian
Dev Shed Demi-God (4500 - 4999 posts)
 
Join Date: Jan 2001
Location: Canada
Posts: 4,793 Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level) 
Time spent in forums: 4 Weeks 23 h 3 m 24 sec
Reputation Power: 437
Yes with that code you will only get one entry, you are searching the single entry "cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org"

try chaning $dn to:
PHP Code:
 $dn "ou=security groups, dc=Global, dc=Shsystem, dc=org"


and $filter to:
PHP Code:
 $filter "(member=cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org*)"


might need to be ajusted

Reply With Quote
  #8  
Old January 21st, 2004, 08:07 PM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
Thanks,
I'll give it a shot tomorrow at work.

Reply With Quote
  #9  
Old January 21st, 2004, 08:17 PM
Viper_SB's Avatar
Viper_SB Viper_SB is offline
Psycho Canadian
Dev Shed Demi-God (4500 - 4999 posts)
 
Join Date: Jan 2001
Location: Canada
Posts: 4,793 Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level)Viper_SB User rank is Lieutenant Colonel (40000 - 50000 Reputation Level) 
Time spent in forums: 4 Weeks 23 h 3 m 24 sec
Reputation Power: 437
well if it doesn't work I won't be around till monday so you can either wait or maybe someone else can help you

Reply With Quote
  #10  
Old January 22nd, 2004, 01:38 PM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
LDAP4U,
I tried what you wrote the other day and was unable to get that comand to work. It would complain about a ')' in the command. So I wrote this...

ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper"

Which gave me the list I wanted


Here is a snip from the output ...
member: CN=Guzzo\, Mark,OU=Users,OU=Network Ops,OU=IT,DC=global,DC=shsystem,DC
=org

I see the attribute "member" listed, but from the command above how did it know to list the member attribute? I've tried it the way you posted it, but it does not work.

I know I'm a LDAP newbee, but for the past two weeks I've been really trying to understand the ldapsearch / filter stuff ,but I must be trying too hard

Reply With Quote
  #11  
Old January 22nd, 2004, 02:02 PM
ldap4u's Avatar
ldap4u ldap4u is offline
Chris Larivee
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Location: Littleton, CO
Posts: 72 ldap4u User rank is Private First Class (20 - 50 Reputation Level)ldap4u User rank is Private First Class (20 - 50 Reputation Level) 
Time spent in forums: 1 h 49 m 14 sec
Reputation Power: 6
Send a message via MSN to ldap4u
Sorry about that command I gave you - it should work if you replace the () around the filter with "".

When you don't specify member at the end of that query it will return all of the attributes present for the entry - meaning you probably got quite a few that you didn't want as well.

If you take your command that works and append a space then the word member you should get only the member attribute in combination with the dn ....

If you wanted to specify additional attributes to return you would type another space and the next attribute.

Using your example this would look like:

ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper" member cn

Which would return all the member attributes as well as the cn attribute ....

Hope this helps ...

Reply With Quote
  #12  
Old January 23rd, 2004, 08:25 AM
marguz marguz is offline
Junior Member
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Jan 2004
Location: Ilinois
Posts: 9 marguz User rank is Just a Lowly Private (1 - 20 Reputation Level) 
Time spent in forums: < 1 sec
Reputation Power: 0
That works great! Thanks

But I'm having a problem puting that in PHP. From what I can tell the following code DOES work, it finds the ta.timekeeper group, but I don't know how to pull the info from it.

PHP Code:
if ($ldapconn) {

   
// binding to ldap server
   
$ldapbind ldap_bind($ldapconn$ldaprdn$ldappass);

   
// verify binding
   
if ($ldapbind) {
       echo 
"LDAP bind successful...";
       echo 
"Binding ..."
       echo 
"Bind result is ".$ldapbind."<p>";
    }
    
$dn "ou=Security Groups, dc=Global, dc=Shsystem, dc=org";
    
$attrib = array("member");
    
$filter "(cn=ta.timekeeper)";
    
ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
    
$result ldap_search($ldapconn$dn$filter$attrib);
    
$entries ldap_get_entries($ldapconn$result);
    echo 
"Number of entries returned is ".ldap_count_entries($ldapconn$result)."<p>";
    echo 
"Found... <p>";
    echo 
"result is: " .$result"<p>";
    for (
$i=0$i<$entries["count"]; $i++) {
        echo 
$entries[$i]["displayname"]
            [
0]."(".$entries[$i]["l"][0].")<br />";
    }    
    
ldap_close($ldapconn);



If I make the filter "(cn=ta*)" I'll get as an output 3 results, and that how many groups we have that start with "ta". So I know that it finds the group in question, just how do I list the members as in the command line ldapsearch?

Reply With Quote
  #13  
Old January 23rd, 2004, 08:29 AM
ldap4u's Avatar
ldap4u ldap4u is offline
Chris Larivee
Dev Shed Newbie (0 - 499 posts)
 
Join Date: Sep 2003
Location: Littleton, CO
Posts: 72 ldap4u User rank is Private First Class (20 - 50 Reputation Level)ldap4u User rank is Private First Class (20 - 50 Reputation Level) 
Time spent in forums: 1 h 49 m 14 sec
Reputation Power: 6
Send a message via MSN to ldap4u