active directory - ldap - theory (recursive lookup)

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
dickey
Forum Commoner
Posts: 50
Joined: Thu May 16, 2002 8:04 pm
Location: Sydney, Australia

active directory - ldap - theory (recursive lookup)

Post by dickey »

Hello,

I have been using PHP's ldap functions to authenticate users against active directory via ldap. (works fine)

I have been populating selects and lists with active directory data based on ldap search filters. (works fine).

However queries only execute at the ou level against which I authenticate.

For example:

if I authenticate against basedn (ou=partners, ou=users, ou=clients, dc=au, dc=eg_company, dc=net).

then try and query the directory for a basedn for which I did not originally authenticated, say: (ou=adm, ou=clients, dc=au, dc=eg_company, dc=net ) I am unable to return the ldap data.

In theory I believe that once authenticated, I would be able to browse the whole directory, and not just the ou level against which I authenticated.

Therefore: 2 questions arise:

1. is it true of PHP's ldap functions that you may only search/fliter/ and retrieve data for the ou against which we authenticated, or is this restriction set in active directory.

2. if it isn't true, how do you recursively search at ou and return data for other than the ou level against which you have authenticated.


Many thanks, Andrew
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

The first thing I'd look at is your permissions. Does the user you're binding as have the rights to view that context?

If you do have the rights, you're search should be formatted something like this:

Code: Select all

$results = ldap_search($ldap_connection,'ou=adm, ou=clients, dc=au, dc=eg_company, dc=net','cn=*');
The last argument can be any filter you want, that was just a placeholder

Remember that ldap_list() is a single-level search while ldap_search() is a recursive, multi-level search.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply