Page 1 of 2

Reading members of Security Group w/in LDAP - HELP

Posted: Wed Jun 14, 2006 2:51 pm
by labmixz
I've done some searching on the web awhile back about this...

Just can't seem to find anything that will help my situation... Basically, I have a simple LDAP Query, but instead of reading the OU I want it to read the members of a security group, I have also had a hard time finding a complete list of LDAP attributes, of which I highly doubt that I have the right attribute in the ldap search string

$sr=ldap_search($ds,"ou=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);

The above in bold is my security group I want to read, of course that doesn't work, because a security group isn't an OU, but I just can't seem to find out the attribute for a security group.

Any help on trying to read the members of a ldap security group would be greatly appreciated.

Thanks,
Henry[/b]

Posted: Wed Jun 14, 2006 3:11 pm
by labmixz
I found that I won't get any error messages with:

$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);

But still not understanding how to read the contents of the group as it's not pulling anything to

Code: Select all

$sr=ldap_search($ds,"cn=sAdministrative,ou=Administrative,ou=Employees,dc=domain,dc=com",$filter);
$info = ldap_get_entries($ds, $sr);

Posted: Wed Jun 14, 2006 3:59 pm
by pickle
In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?

Posted: Thu Jun 15, 2006 10:22 am
by labmixz
pickle wrote:In NDS (Novell Directory Services), one can simply ask for the groups in a particular context. In the results, there is a 'member' attribute that contains all the members. Have you tried something similar?
I have been trying to play around with different attribute names, also trying 'member', 'members', still can't get anything to work, however, in the filter I put:

Code: Select all

$filter = "(&(objectClass=group))";
Which will display "sAdministrative" rather than nothing, but still can't get it to list the members of the group.

Posted: Thu Jun 15, 2006 10:26 am
by pickle
Once you get your results, call:

Code: Select all

echo '<pre>';
print_r($your_LDAP_Results_here);
echo '</pre>';
To see absolutely all data returned.

Posted: Thu Jun 15, 2006 11:01 am
by labmixz
pickle wrote:Once you get your results, call:

Code: Select all

echo '<pre>';
print_r($your_LDAP_Results_here);
echo '</pre>';
To see absolutely all data returned.
Still just returning the group name, no members :(

Posted: Thu Jun 15, 2006 11:05 am
by pickle
What are you talking to via LDAP? Active Directory?

Posted: Thu Jun 15, 2006 12:41 pm
by labmixz
pickle wrote:What are you talking to via LDAP? Active Directory?
Yes, sorry for not giving that information sooner. Trying to talk to AD on Win2003 Server.

Posted: Thu Jun 15, 2006 12:58 pm
by pickle
I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group

So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative

Posted: Thu Jun 15, 2006 1:51 pm
by labmixz
pickle wrote:I can't believe it took me this long to figure it out. You don't search for a group and get all it's members, you search for all people that are a member of that group

So, your filter would be: (&(ObjectClass=user)(groupMembership=sAdministrative))
Again, the syntax might be different, but basically you're restricting your results to only users that are members of sAdministrative
I've been trying to mess around with that as a filter, still no results, no errors, but no results either...

Also found an attribute "memberOf", which gives me the same thing, no results, but no errors... in my filter rather than limiting it to the object class, I'm just trying to list everything in that group, so was just trying to filter out anything but that group. Using what you suggested earlier to return all the results.

Right now it just looks like:

Code: Select all

<?php
$ds=ldap_connect("ldap://domain.com");
if($ds) 
{
	$r=ldap_bind($ds,"user","pass");
	$filter = "(&(memberOf=sAdministrative))";

	$sr=ldap_search($ds,"ou=Employees,dc=domain,dc=com",$filter);
	$info = ldap_get_entries($ds, $sr);
}
$temp = $info[0]["cn"][0];

echo '<pre>'; 
print_r($temp); 
echo '</pre>';
?>

Posted: Thu Jun 15, 2006 2:16 pm
by pickle
Have you tried dumping $info rather than $temp. $temp would just contain a string - the common name (cn) of the first group.

Posted: Thu Jun 15, 2006 2:23 pm
by labmixz
pickle wrote:Have you tried dumping $info rather than $temp. $temp would just contain a string - the common name (cn) of the first group.
Yes, dumping $info

returns:

Array
(
[count] => 0
)

For both groupMembership and memberOf


I feel like this is getting a little closer to the solution, but I still think something is wrong with the attribute I'm using... I've been trying to google it, but still coming up short.

Posted: Thu Jun 15, 2006 2:28 pm
by pickle
Ok, desperation time ;)

Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.

Stupid question but...do you know if there is actually at least 1 user in that group?

Posted: Thu Jun 15, 2006 2:40 pm
by labmixz
pickle wrote:Ok, desperation time ;)

Change your filter to (cn=*) which will give you absolutely everything in that context. You should then be able to look at a user that's supposed to be in that group and see if there's anything you can use.

Stupid question but...do you know if there is actually at least 1 user in that group?
No question is stupid.... But yes there are about 19 users in the group...


with the filter set to (cn=*)

I found some users with information showing they were a member of that group...

Example:

Code: Select all

[memberof] => Array
                (
                    [count] => 1
                    [1] => CN=sAdministrative,OU=Administrative,OU=Employees,DC=domain,DC=com
                )

So, I'm assuming using the memberOf attribue somehow in conjection with CN=sAdministrative should yeild the results I'm looking for, going to play around with it some, let me know if you can think of anything for this...

Thanks for your help thus far, it's much appreciated...
~Henry

Posted: Thu Jun 15, 2006 2:46 pm
by pickle
It may be case sensitive. You said you were checking memberOf, and in the example it's memberof. May be significant.