Reading members of Security Group w/in LDAP - HELP
Moderator: General Moderators
Reading members of Security Group w/in LDAP - HELP
I've done some searching on the web awhile back about this...
Just can't seem to find anything that will help my situation... Basically, I have a simple LDAP Query, but instead of reading the OU I want it to read the members of a security group, I have also had a hard time finding a complete list of LDAP attributes, of which I highly doubt that I have the right attribute in the ldap search string
$sr=ldap_search($ds,"ou=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
The above in bold is my security group I want to read, of course that doesn't work, because a security group isn't an OU, but I just can't seem to find out the attribute for a security group.
Any help on trying to read the members of a ldap security group would be greatly appreciated.
Thanks,
Henry[/b]
Just can't seem to find anything that will help my situation... Basically, I have a simple LDAP Query, but instead of reading the OU I want it to read the members of a security group, I have also had a hard time finding a complete list of LDAP attributes, of which I highly doubt that I have the right attribute in the ldap search string
$sr=ldap_search($ds,"ou=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
The above in bold is my security group I want to read, of course that doesn't work, because a security group isn't an OU, but I just can't seem to find out the attribute for a security group.
Any help on trying to read the members of a ldap security group would be greatly appreciated.
Thanks,
Henry[/b]
I found that I won't get any error messages with:
$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
But still not understanding how to read the contents of the group as it's not pulling anything to
$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
But still not understanding how to read the contents of the group as it's not pulling anything to
Code: Select all
$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
$info = ldap_get_entries($ds, $sr);In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
I have been trying to play around with different attribute names, also trying 'member', 'members', still can't get anything to work, however, in the filter I put:pickle wrote:In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?
Code: Select all
$filter = "(&(objectClass=group))";Once you get your results, call:
To see absolutely all data returned.
Code: Select all
echo '<pre>';
print_r($your_LDAP_Results_here);
echo '</pre>';Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
Still just returning the group name, no memberspickle wrote:Once you get your results, call:
To see absolutely all data returned.Code: Select all
echo '<pre>'; print_r($your_LDAP_Results_here); echo '</pre>';
I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group
So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
I've been trying to mess around with that as a filter, still no results, no errors, but no results either...pickle wrote:I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group
So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
Also found an attribute "memberOf", which gives me the same thing, no results, but no errors... in my filter rather than limiting it to the object class, I'm just trying to list everything in that group, so was just trying to filter out anything but that group. Using what you suggested earlier to return all the results.
Right now it just looks like:
Code: Select all
<?php
$ds=ldap_connect("ldap://domain.com");
if($ds)
{
$r=ldap_bind($ds,"user","pass");
$filter = "(&(memberOf=sAdministrative))";
$sr=ldap_search($ds,"ou=Employees,dc=domain,dc=com",$filter);
$info = ldap_get_entries($ds, $sr);
}
$temp = $info[0]["cn"][0];
echo '<pre>';
print_r($temp);
echo '</pre>';
?>Yes, dumping $infopickle wrote:Have you tried dumping $info rather than $temp. $temp would just contain a string - the common name (cn) of the first group.
returns:
Array
(
[count] => 0
)
For both groupMembership and memberOf
I feel like this is getting a little closer to the solution, but I still think something is wrong with the attribute I'm using... I've been trying to google it, but still coming up short.
Ok, desperation time 
Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.
Stupid question but...do you know if there is actually at least 1 user in that group?
Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.
Stupid question but...do you know if there is actually at least 1 user in that group?
Real programmers don't comment their code. If it was hard to write, it should be hard to understand.
No question is stupid.... But yes there are about 19 users in the group...pickle wrote:Ok, desperation time
Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.
Stupid question but...do you know if there is actually at least 1 user in that group?
with the filter set to (cn=*)
I found some users with information showing they were a member of that group...
Example:
Code: Select all
[memberof] => Array
(
[count] => 1
[1] => CN=sAdministrative,OU=Administrative,OU=Employees,DC=domain,DC=com
)So, I'm assuming using the memberOf attribue somehow in conjection with CN=sAdministrative should yeild the results I'm looking for, going to play around with it some, let me know if you can think of anything for this...
Thanks for your help thus far, it's much appreciated...
~Henry