Reading members of Security Group w/in LDAP - HELP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Reading members of Security Group w/in LDAP - HELP

Post by labmixz »

I've done some searching on the web awhile back about this...

Just can't seem to find anything that will help my situation... Basically, I have a simple LDAP Query, but instead of reading the OU I want it to read the members of a security group, I have also had a hard time finding a complete list of LDAP attributes, of which I highly doubt that I have the right attribute in the ldap search string

$sr=ldap_search($ds,"ou=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);

The above in bold is my security group I want to read, of course that doesn't work, because a security group isn't an OU, but I just can't seem to find out the attribute for a security group.

Any help on trying to read the members of a ldap security group would be greatly appreciated.

Thanks,
Henry[/b]
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

I found that I won't get any error messages with:

$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);

But still not understanding how to read the contents of the group as it's not pulling anything to

Code: Select all

$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
$info = ldap_get_entries($ds, $sr);
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?
I have been trying to play around with different attribute names, also trying 'member', 'members', still can't get anything to work, however, in the filter I put:

Code: Select all

$filter = "(&(objectClass=group))";
Which will display "sAdministrative" rather than nothing, but still can't get it to list the members of the group.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Once you get your results, call:

Code: Select all

echo '<pre>';
print_r($your_LDAP_Results_here);
echo '</pre>';
To see absolutely all data returned.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:Once you get your results, call:

Code: Select all

echo '<pre>';
print_r($your_LDAP_Results_here);
echo '</pre>';
To see absolutely all data returned.
Still just returning the group name, no members :(
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

What are you talking to via LDAP? Active Directory?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:What are you talking to via LDAP? Active Directory?
Yes, sorry for not giving that information sooner. Trying to talk to AD on Win2003 Server.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group

So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group

So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
I've been trying to mess around with that as a filter, still no results, no errors, but no results either...

Also found an attribute "memberOf", which gives me the same thing, no results, but no errors... in my filter rather than limiting it to the object class, I'm just trying to list everything in that group, so was just trying to filter out anything but that group. Using what you suggested earlier to return all the results.

Right now it just looks like:

Code: Select all

<?php
$ds=ldap_connect("ldap://domain.com");
if($ds) 
{
	$r=ldap_bind($ds,"user","pass");
	$filter = "(&(memberOf=sAdministrative))";

	$sr=ldap_search($ds,"ou=Employees,dc=domain,dc=com",$filter);
	$info = ldap_get_entries($ds, $sr);
}
$temp = $info[0]["cn"][0];

echo '<pre>'; 
print_r($temp); 
echo '</pre>';
?>
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Have you tried dumping $info rather than $temp. $temp would just contain a string - the common name (cn) of the first group.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:Have you tried dumping $info rather than $temp. $temp would just contain a string - the common name (cn) of the first group.
Yes, dumping $info

returns:

Array
(
[count] => 0
)

For both groupMembership and memberOf


I feel like this is getting a little closer to the solution, but I still think something is wrong with the attribute I'm using... I've been trying to google it, but still coming up short.
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

Ok, desperation time ;)

Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.

Stupid question but...do you know if there is actually at least 1 user in that group?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
User avatar
labmixz
Forum Newbie
Posts: 18
Joined: Tue Apr 25, 2006 12:14 pm
Location: tampa ~ fl
Contact:

Post by labmixz »

pickle wrote:Ok, desperation time ;)

Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.

Stupid question but...do you know if there is actually at least 1 user in that group?
No question is stupid.... But yes there are about 19 users in the group...


with the filter set to (cn=*)

I found some users with information showing they were a member of that group...

Example:

Code: Select all

[memberof] => Array
                (
                    [count] => 1
                    [1] => CN=sAdministrative,OU=Administrative,OU=Employees,DC=domain,DC=com
                )

So, I'm assuming using the memberOf attribue somehow in conjection with CN=sAdministrative should yeild the results I'm looking for, going to play around with it some, let me know if you can think of anything for this...

Thanks for your help thus far, it's much appreciated...
~Henry
User avatar
pickle
Briney Mod
Posts: 6445
Joined: Mon Jan 19, 2004 6:11 pm
Location: 53.01N x 112.48W
Contact:

Post by pickle »

It may be case sensitive. You said you were checking memberOf, and in the example it's memberof. May be significant.
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Post Reply