php ldap search: no such object

Question

I'm new to LDAP so I will try to explain correctly
I have a hostname "energia.sise"

I need to get all users which are located in energia.sise/nej/users

could you advise me how to do that?

in this code, I tried to get my record based on my email but it errors
Warning: ldap_search(): Search: No such object

     $base_dn ="OU=users, OU=nej, DC=energia, DC=sise";
     $ds = ldap_connect("energia.sise") or die("Невозможно соединиться с $ldaphost");

     ldap_bind($ds, "login@energia", "password");

     $filter = '(&(objectClass=user)(CN=*)(mail=kosmos*))';

     $sr = ldap_search($ds, $base_dn, $filter);
     $info = ldap_get_entries($ds, $sr);

Answer 1

Except the unnecessary filter component CN=*, as already noted by Terry Gardner, your filter seems to be correct. As such, I suspect that there are other possible problems you have with your code:

1. The username format you are using is incorrect. Try binding with login@energia.sise or ENERGIA\\login .
2. The container "OU=users, OU=nej, DC=energia, DC=sise" does not exist. Try your search in the whole domain - "DC=energia, DC=sise" and see if you are getting any results.

3. Use ldap v3 protocol in Active Directory whenever possible. This should be set before you bind:
   

   ldap_set_option( $ds, LDAP_OPT_PROTOCOL_VERSION, 3 );

4. I recommend that you also turn off referrals handling for ldap v3 as it causes some strange behaviour for AD sometimes:
   

   ldap_set_option( $ds, LDAP_OPT_REFERRALS, 0 );

When performing a search operation like this, the "No such object" error usually refers to the fact that the base DN does not exist. If there were no users to match your filter, the server would return an empty resultset.

Hope that helps!

Answer 2

The base object "OU=users, OU=nej, DC=energia, DC=sise" specified does not exist. The base object is the point at which the search begins - only entries at or below the base objects would be returned in the search result except in the case of a one-level search, in which case the base object is not returned.

Before writing code, use a known good tool like ldapsearch to determine if the desired request parameters are correct:

ldapsearch -h energia.sise -p port-number \
     -D login@energia -w password \
     -b ou=users,ou=nej,dc=energia,dc=sise -s sub \
     '(&)' 1.1

If the above displays the error indicating the base object does not exist, then locate the correct base object and try again.

As a side note, unrelated to the problem of the base object not existing, the filter component cn=* is not necessary, and will result in an increased search time because cn=* is a present filter, meaning entries that contain a cn attribute will match the search criteria. Unless I am mistaken, the cn attribute is required by the User objectClass, so using a & filter with both objectClass=User and cn=* does nothing but cause the server to spend more time on the search.

see also

• LDAP: Search Best Practices

Answer 3

UPDATE: Using the LDAP Browser Free edition (Check it out here ) was good because you can simply browse through the LDAP server, it helps you understand if you can bind anonymous etc. etc. But the biggest benefit was to get the DN (copy and paste). After that I was able to read the data.

I had the following issues and that's how I resolved:

Problem 1: Can't bind even though I could connect anonymously through the LDAP Browser Software

Solution: added the following lines before the bind as suggested above:

ldap_set_option( $ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3 );
ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 0 );

After this I was able to bind...

Problem 2: Can't Search...

Solution: Open the LDAP browser. Check connectivity to make sure you can connect to the LDAP server. Browse an example record. Right click and goto Properties and copy the DN and replace it in the code and that's it!

Original Post shown below:

I can't seem to search and I am using LDAP Browser 4.5 Free edition to make sure everything is working...

This is my Code:

function ldap_anon_connect($ein){

    $ldaphost = "ldap://link_to_ldap.com";

    //create a connection to ldap server
    $ldapconn = ldap_connect($ldaphost) or die("Couldn't connect to " .$ldaphost);
        if ($ldapconn) {

            ldap_set_option( $ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3 );
            ldap_set_option( $ldapconn, LDAP_OPT_REFERRALS, 0 );

            $ldapbind = ldap_bind($ldapconn);
            if ($ldapbind) {

                // if binds, look some stuff up
                $info = ldap_annon_get_profile($ein, $ldapconn);
                return $info;
             } 
             else{
                echo "Invalid EIN. Please Try again";
                die();
             }

    }

}

function ldap_annon_get_profile($ein, $ldapconn){

        $filter = "(cn=".$ein.")";

    $justthese = array(
                                "cn","sn","givenName","displayName","mail","EmployeeClass","ManagerEIN",
                                "mobile","title","c","PersonalTitle"
                );

                $sr = ldap_search($ldapconn, "o=CO,ou=COplc,ou=people", $filter, $justthese);
                        $info = ldap_get_entries($ldapconn, $sr);

                        return $info;

    }

I have double checked my DN=" o=CO,ou=COplc,ou=people " this is the right string as I can lookup the stuff at LDAP Browser...

Any ideas?