Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0

    Question Active Directory


    I've been playing around with PHP and ldap queries for a while. I have been able to search for users in our Active Directory just fine.

    What I can't seem to figure out is how to list all members of a particular group. Does any one know how to do this?

    LDAP://CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org

    I can do a search for ta.timekeeper, but I have no idea how to list the members in that group.

    Mark
  2. #2
  3. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    what do you mean by list members? can you post your structure of how you have it layed out and I can get a better idea of what to work with.
  4. #3
  5. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    Well this is in Active Directory so I really don't know the structure of it. I do know that it's a Organizational Unit called 'Security Groups' and that is where we keep all our active directory groups. In there, there is a 'ta.timekeeper' group that has many users assigned to it. I would like to list those users that are in the ta.timekeeper group.

    The Security Groups it right off the root. So LDAP reads from right to left, it would be....

    ta.timekeeper, security groups, domain, org

    Is that what you ask for?

    PS.
    I'm still very new to accessing AD from out side of Windows. I can do this in kixtart script, I just want to learn how to do it on my Linux box so that I may make a web page for the timekeeper managers.

    Mark
  6. #4
  7. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    I don't use AD so some of this maybe wrong, but I believe you'd just search for the group like:

    (CN=CN=ta.timekeeper, OU=Security Groups, DC=BLA, DC=DOH, DC=org)

    or something like that, how are the users assigned? is there a field in there entry with the dn of the group there are assigned to? if so the above should work if not I need more info.
  8. #5
  9. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    11
    You need to specify the attribute that you want returned - in this case member ...

    For instance - if you did a command line ldapsearch it would look something like this:

    ldapsearch -b "dc=corp,dc=comp,dc=com" -h server -p port -D "user" -w password -v (cn=ta.timekeeper*) member

    which would return all the members of any group that started with a cn of ta.timekeeper ...
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    OK,
    here is what I have so far. I'm able to get one user but thats it.




    I get one user listed, but I should have over 100

    PHP Code:
    <?php
    // basic sequence with LDAP is connect, bind, search, interpret search
    // result, close connection
    // using ldap bind
    $ldaprdn  'global\my-user-id';    // ldap rdn or dn
    $ldappass 'password';  // associated password
    // connect to ldap server
    $ldapconn ldap_connect("10.0.2.223")
       or die(
    "Could not connect to LDAP server.");

    echo 
    "<h3>LDAP query test 1</h3>";
    echo 
    "Connecting ...";
    echo 
    "connect result is ".$ldapconn."<p>";

    if (
    $ldapconn) {
       
    // binding to ldap server
       
    $ldapbind ldap_bind($ldapconn$ldaprdn$ldappass);

       
    // verify binding
       
    if ($ldapbind) {
           echo 
    "LDAP bind successful...";
           echo 
    "Binding ..."
           echo 
    "Bind result is ".$ldapbind."<p>";
        }
        
    $dn "cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org";
        
    $attributes = array("member""l");
        
    $filter "(cn=*)";
        
    ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
        
    $result ldap_search($ldapconn$dn$filter$attributes);
        
    $entries ldap_get_entries($ldapconn$result);
        for (
    $i=0$i<$entries["count"]; $i++) {
            echo 
    $entries[$i]["member"]
            [
    0]."(".$entries[$i]["l"][0].")<br />";
        }    
    }
    ?>
  12. #7
  13. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    Yes with that code you will only get one entry, you are searching the single entry "cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org"

    try chaning $dn to:
    PHP Code:
    $dn "ou=security groups, dc=Global, dc=Shsystem, dc=org"
    and $filter to:
    PHP Code:
        $filter "(member=cn=ta.timekeeper, ou=security groups, dc=Global, dc=Shsystem, dc=org*)"
    might need to be ajusted
  14. #8
  15. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    Thanks,
    I'll give it a shot tomorrow at work.
  16. #9
  17. Psycho Canadian
    Devshed Demi-God (4500 - 4999 posts)

    Join Date
    Jan 2001
    Location
    Canada
    Posts
    4,846
    Rep Power
    635
    well if it doesn't work I won't be around till monday so you can either wait or maybe someone else can help you
  18. #10
  19. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    LDAP4U,
    I tried what you wrote the other day and was unable to get that comand to work. It would complain about a ')' in the command. So I wrote this...

    ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper"

    Which gave me the list I wanted


    Here is a snip from the output ...
    member: CN=Guzzo\, Mark,OU=Users,OU=Network Ops,OU=IT,DC=global,DC=shsystem,DC
    =org

    I see the attribute "member" listed, but from the command above how did it know to list the member attribute? I've tried it the way you posted it, but it does not work.

    I know I'm a LDAP newbee, but for the past two weeks I've been really trying to understand the ldapsearch / filter stuff ,but I must be trying too hard
  20. #11
  21. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    11
    Sorry about that command I gave you - it should work if you replace the () around the filter with "".

    When you don't specify member at the end of that query it will return all of the attributes present for the entry - meaning you probably got quite a few that you didn't want as well.

    If you take your command that works and append a space then the word member you should get only the member attribute in combination with the dn ....

    If you wanted to specify additional attributes to return you would type another space and the next attribute.

    Using your example this would look like:

    ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta.timekeeper" member cn

    Which would return all the member attributes as well as the cn attribute ....

    Hope this helps ...
  22. #12
  23. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    That works great! Thanks

    But I'm having a problem puting that in PHP. From what I can tell the following code DOES work, it finds the ta.timekeeper group, but I don't know how to pull the info from it.

    PHP Code:
    if ($ldapconn) {

       
    // binding to ldap server
       
    $ldapbind ldap_bind($ldapconn$ldaprdn$ldappass);

       
    // verify binding
       
    if ($ldapbind) {
           echo 
    "LDAP bind successful...";
           echo 
    "Binding ..."
           echo 
    "Bind result is ".$ldapbind."<p>";
        }
        
    $dn "ou=Security Groups, dc=Global, dc=Shsystem, dc=org";
        
    $attrib = array("member");
        
    $filter "(cn=ta.timekeeper)";
        
    ldap_set_option($ldapconnLDAP_OPT_PROTOCOL_VERSION3);
        
    $result ldap_search($ldapconn$dn$filter$attrib);
        
    $entries ldap_get_entries($ldapconn$result);
        echo 
    "Number of entries returned is ".ldap_count_entries($ldapconn$result)."<p>";
        echo 
    "Found... <p>";
        echo 
    "result is: " .$result"<p>";
        for (
    $i=0$i<$entries["count"]; $i++) {
            echo 
    $entries[$i]["displayname"]
                [
    0]."(".$entries[$i]["l"][0].")<br />";
        }    
        
    ldap_close($ldapconn);

    If I make the filter "(cn=ta*)" I'll get as an output 3 results, and that how many groups we have that start with "ta". So I know that it finds the group in question, just how do I list the members as in the command line ldapsearch?
  24. #13
  25. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    11
    ldapsearch -h 10.0.2.223 -x -D guzmar@global.shsystem.org -w mypassword -b "ou=security groups,dc=global,dc=shsystem,dc=org" -v "cn=ta*" member
  26. #14
  27. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2004
    Location
    Ilinois
    Posts
    9
    Rep Power
    0
    Yea, that works.

    But I'm have a big problem not being able to put that into PHP.
    I always seem to get one listing. It's like at the first sign of "ta.timekeeper" it stops looking.

    PHP Code:
    $dn "ou=Security Groups, dc=Global, dc=Shsystem, dc=org";
        
    $attrib = array("member""0");
        
    $filter "(cn=ta.timekeeper)";
        
    $result ldap_search($ldapconn$dn$filter$attrib);
        
    $entries ldap_get_entries($ldapconn$result);
        echo 
    "Number of entries returned is ".ldap_count_entries($ldapconn$result)."<p>";
        echo 
    "Found... <p>";
        echo 
    "result is: " .$result"<p>";
        for (
    $i=0$i<$entries["count"]; $i++) {
            echo 
    $entries[$i]["member"]
                [
    0]."(".$entries[$i]["l"][0].")<br />";
        } 
  28. #15
  29. Chris Larivee
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2003
    Location
    Littleton, CO
    Posts
    72
    Rep Power
    11
    Sorry - I didn't fully read your other post ...

    I don't know anything about PHP - but you should expect that member values will all be returned at once - so the values should be arrayed ... I think you are doing that - but I can't tell for sure. You may want to try the phrase "php multi-valued attributes" in a Google search

    Maybe this helps?

    http://www.ldapzone.com/perl_python_php.html

    Maybe it doesn't ...
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo