Page 1 of 1

active directory - ldap - theory (recursive lookup)

Posted: Mon Mar 27, 2006 9:35 pm
by dickey
Hello,

I have been using PHP's ldap functions to authenticate users against active directory via ldap. (works fine)

I have been populating selects and lists with active directory data based on ldap search filters. (works fine).

However queries only execute at the ou level against which I authenticate.

For example:

if I authenticate against basedn (ou=partners, ou=users, ou=clients, dc=au, dc=eg_company, dc=net).

then try and query the directory for a basedn for which I did not originally authenticated, say: (ou=adm, ou=clients, dc=au, dc=eg_company, dc=net ) I am unable to return the ldap data.

In theory I believe that once authenticated, I would be able to browse the whole directory, and not just the ou level against which I authenticated.

Therefore: 2 questions arise:

1. is it true of PHP's ldap functions that you may only search/fliter/ and retrieve data for the ou against which we authenticated, or is this restriction set in active directory.

2. if it isn't true, how do you recursively search at ou and return data for other than the ou level against which you have authenticated.


Many thanks, Andrew

Posted: Tue Mar 28, 2006 10:37 am
by pickle
The first thing I'd look at is your permissions. Does the user you're binding as have the rights to view that context?

If you do have the rights, you're search should be formatted something like this:

Code: Select all

$results = ldap_search($ldap_connection,'ou=adm, ou=clients, dc=au, dc=eg_company, dc=net','cn=*');
The last argument can be any filter you want, that was just a placeholder

Remember that ldap_list() is a single-level search while ldap_search() is a recursive, multi-level search.