active directory - ldap - theory (recursive lookup)
Posted: Mon Mar 27, 2006 9:35 pm
Hello,
I have been using PHP's ldap functions to authenticate users against active directory via ldap. (works fine)
I have been populating selects and lists with active directory data based on ldap search filters. (works fine).
However queries only execute at the ou level against which I authenticate.
For example:
if I authenticate against basedn (ou=partners, ou=users, ou=clients, dc=au, dc=eg_company, dc=net).
then try and query the directory for a basedn for which I did not originally authenticated, say: (ou=adm, ou=clients, dc=au, dc=eg_company, dc=net ) I am unable to return the ldap data.
In theory I believe that once authenticated, I would be able to browse the whole directory, and not just the ou level against which I authenticated.
Therefore: 2 questions arise:
1. is it true of PHP's ldap functions that you may only search/fliter/ and retrieve data for the ou against which we authenticated, or is this restriction set in active directory.
2. if it isn't true, how do you recursively search at ou and return data for other than the ou level against which you have authenticated.
Many thanks, Andrew
I have been using PHP's ldap functions to authenticate users against active directory via ldap. (works fine)
I have been populating selects and lists with active directory data based on ldap search filters. (works fine).
However queries only execute at the ou level against which I authenticate.
For example:
if I authenticate against basedn (ou=partners, ou=users, ou=clients, dc=au, dc=eg_company, dc=net).
then try and query the directory for a basedn for which I did not originally authenticated, say: (ou=adm, ou=clients, dc=au, dc=eg_company, dc=net ) I am unable to return the ldap data.
In theory I believe that once authenticated, I would be able to browse the whole directory, and not just the ou level against which I authenticated.
Therefore: 2 questions arise:
1. is it true of PHP's ldap functions that you may only search/fliter/ and retrieve data for the ou against which we authenticated, or is this restriction set in active directory.
2. if it isn't true, how do you recursively search at ou and return data for other than the ou level against which you have authenticated.
Many thanks, Andrew