Page 1 of 1

ldap_search() not searching whole tree

Posted: Wed Feb 20, 2008 10:43 am
by sinistapenguin
Hi All

I am a complete novice in terms of PHP/ LDAP so am probably way out of my depth.

We are using Joomla! as a CMS for our corporate Intranet. I was hoping to find an extension that would pull back a phone/ email directory from Active Directory (on W2K3). Having failed to find an extension, I started looking at writing something myself.

I have pinched a script I found on the internet and it works in a limited way.

I can connect/ bind etc. But I can only search within a specified OU.

Our AD is organised like this:

DOMAIN
----Office
--------Dept
------------Users
--------Dept
------------Users
--------Dept
------------Users
----Office
--------Dept
------------Users
--------Dept
------------Users
etc...

I would like my script to search all of the offices & depts for users matching certain criteria.

The script I pinched consists of a search page:

Code:

Code: Select all

<form action="script.php" method="post">
    Search criteria:<br />
    <input type="text" name="keyword" size="20"
           maxlength="20" value="" /><br />
    Filter:<br />
    <select name="filter">
        <option value="">Choose One:</option>
        <option value="sn">Last Name</option>
        <option value="telephonenumber">Phone</option>
        <option value="l">City</option>
    </select><br />
    <input type="submit" value="Search!" />
  </form>

Which passes parameters to the script below (names have been changed to protect the innocent!):

Code:

Code: Select all

<?php
 
// Designate a few variables
$host = "ldap://###.##.##.##";
$user = "ben.powell@jephson.org.uk";
$pswd = "myPassw0rd";
 
$ad = ldap_connect($host)
      or die( "Could not connect!" );
 
// Set version number
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3)
     or die ("Could not set ldap protocol");
 
// Binding to ldap server
$bd = ldap_bind($ad, $user, $pswd)
      or die ("Could not bind");
 
// Create the DN
$dn = " OU=IT Customer Support, OU=Office Central, DC=domain, DC=local";
 
// Specify only those parameters we're interested in displaying
$attrs = array("displayName","userPrincipalName","physicalDeliveryOfficeName","givenName", "telephoneNumber");
 
// Create the filter from the search parameters
$filter = $_POST['filter']."=".$_POST['keyword']."*";
 
$search = ldap_search($ad, $dn, $filter, $attrs)
          or die ("ldap search failed");
 
$entries = ldap_get_entries($ad, $search);
 
if ($entries["count"] > 0) {
  echo "<table border='1' width='90%'>";
  echo "<tr>";
  echo "<td>Name:</td>";
  echo "<td>Office:</td>";
  echo "<td>Email:</td>";
  echo "<td>Telephone:</td>";
  echo "</tr>";
  
for ($i=0; $i<$entries["count"]; $i++) {
  echo "<tr>";
  echo "<td>".$entries[$i]["displayname"][0]."</td>";
  echo "<td>".$entries[$i]["physicaldeliveryofficename"][0]."</td>";
  echo "<td> <a href='mailto:".$entries[$i]["userprincipalname"][0]."'>".$entries[$i]["userprincipalname"][0]."</a></td>";
  echo "<td>".$entries[$i]["telephonenumber"][0]."</td>";
  echo "</tr>";
}
  echo "</table>";
} else {
   echo "<p>No results found!</p>";
}
 
ldap_unbind($ad);
 
?>

This works fine and I can find anyone within the "OU=IT Customer Support, OU=Office Central" department.

Unfortunately I can't figure out how to make it search the whole tree. According to the PHP site, it does this by default, but I can't figure out what I need to change. Is it the $dn= bit? I have tried everything I can think of here.

Any help would be gratefully received.

Thanks

Ben

Re: ldap_search() not searching whole tree

Posted: Wed Feb 20, 2008 11:18 am
by liljester
Ive done a little experimenting with LDAP and php lately. Im not too familiar with the workings of LDAP, but.. I think when you search " OU=IT Customer Support, OU=Office Central, DC=domain, DC=local" it only searches that ou.

you may have to change your form so that it asks what department to search, and include that in the DN, instead of searching "OU=IT Customer Support, OU=Office Central".

let me know what you come up with.

Re: ldap_search() not searching whole tree

Posted: Wed Feb 20, 2008 3:17 pm
by pickle
Why not just set the base DN to "DC=local" rather than "OU=IT Customer Support, OU=Office Central, DC=domain, DC=local"?

Re: ldap_search() not searching whole tree

Posted: Thu Feb 21, 2008 8:30 am
by sinistapenguin
Thanks Both

I have tried setting the base DN as suggested, but it returns LDAP Search failed! I've tried this in every way I can think of: creating a $base_dn variable of DC=domain, DC=local (our domain name is domain.local) I will try this with just 'local' though. I've also tried setting the $dn variable to DC=domain, DC=local, but same problem.

I could add a dept into the search form, but you might not know the department of the person you wish to search for?

Thanks again

Ben

Re: ldap_search() not searching whole tree

Posted: Thu Feb 21, 2008 8:35 am
by liljester
you may have to make a loop that appends the department to a base dn, and the searches that department.. no reason why that shouldnt work. you would have to maintain a list of departments in your code for the searching though.. not as slick as it would be if you could search from the root of the directory, but should still work?

Re: ldap_search() not searching whole tree

Posted: Thu Feb 21, 2008 10:36 am
by sinistapenguin
According to the PHP manual ldap_search() searches the whole tree by default:
Performs the search for a specified filter on the directory with the scope of LDAP_SCOPE_SUBTREE. This is equivalent to searching the entire directory.
So surely I don't need to create a loop, just point it at my base DN. If this is true, how do I find out what my base DN should be?

Re: ldap_search() not searching whole tree

Posted: Thu Feb 21, 2008 1:47 pm
by liljester
sinistapenguin wrote:According to the PHP manual ldap_search() searches the whole tree by default:
Performs the search for a specified filter on the directory with the scope of LDAP_SCOPE_SUBTREE. This is equivalent to searching the entire directory.
So surely I don't need to create a loop, just point it at my base DN. If this is true, how do I find out what my base DN should be?
from the testing ive done with Active Directory, it seems as though the documentation is wrong or incomplete.. (where can i set the LDAP_SCOPE_TREE?)

when i specify "ou=users,dc=domain,dc=local" in the search, the search is limited to that OU and its children. I thought of searching "dc=domain,dc=local" but ldap_error() gives me the error "Operations error"... real helpful, right?

so if your doing active directory, and you want to search through all your root ous, it looks to me like your only option is to know them before and and write a loop to search them all. I hope someone else with more knowledge can shed some light on what we are doing wrong, if indeed we are doing something wrong.

Re: ldap_search() not searching whole tree

Posted: Wed Feb 27, 2008 10:50 am
by dwiedenheft
I ran across your post while trying to answer the same question - not being able to read a list of top-level OUs using PHP's ldap_search(). If anyone knows another method, even by calling out to another language, any help would be greatly appreciated!