Issue Querying LDAP in PHP

Question

I am currently working on a script that queries Active Directory to check if a user is a Domain Admin. The filter works correctly when I test it with ldp.exe. However, when I run the filter in php it does not return anything. However, just checking the SAM account returns correctly. Thank you!

$ldap_host = "Example.internal";
$base_dn = "DC=Prefix,DC=Example,DC=internal";
$filter = "(&(sAMAccountName=test)(memberof=CN=Domain Admins,CN=Users,DC=Prefix,DC=Example,DC=internal))";

$ldap_user  = "username";
$ldap_pass = "password";
$ldap_port = 3268;


$connect = ldap_connect( $ldap_host, $ldap_port)
          or exit(">>Could not connect to LDAP server<<");

ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
       or exit(">>Could not bind to $ldap_host<<");

$read = ldap_search($connect, $base_dn, $filter)
       or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);

echo $info["count"]." entries returned<p>";
$ii=0;
 for ($i=0; $ii<$info[$i]["count"]; $ii++){
     $data = $info[$i][$ii];
     echo $data.":&nbsp;&nbsp;".$info[$i][$data][0]."<br>";
 }
ldap_close($connect);

?> 

Answer 1

Based on the code, I'm assuming you are trying to walk the returned objects and their attributes in the for loop at the end. The problem is how you are iterating. Here's the returned data structure per the manual .

return_value["count"] = number of entries in the result
return_value[0] : refers to the details of first entry

return_value[i]["dn"] =  DN of the ith entry in the result

return_value[i]["count"] = number of attributes in ith entry
return_value[i][j] = NAME of the jth attribute in the ith entry in the result

return_value[i]["attribute"]["count"] = number of values for
                                        attribute in ith entry
return_value[i]["attribute"][j] = jth value of attribute in ith entry

Based on this code:

$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
    $data = $info[$i][$ii];
    echo $data.":&nbsp;&nbsp;".$info[$i][$data][0]."<br>";
}

You are setting $i=0; and not iterating it so it's always 0, corresponding with the first entry in your returned array. You are actually walking through the attributes of the object, which is fine if you only ever expect 1 result back (I suspect that's not the case).

You might try the following function from the docs:

function cleanUpEntry( $entry ) {
  $retEntry = array();
  for ( $i = 0; $i < $entry['count']; $i++ ) {
    if (is_array($entry[$i])) {
      $subtree = $entry[$i];
      //This condition should be superfluous so just take the recursive call
      //adapted to your situation in order to increase perf.
      if ( ! empty($subtree['dn']) and ! isset($retEntry[$subtree['dn']])) {
        $retEntry[$subtree['dn']] = cleanUpEntry($subtree);
      }
      else {
        $retEntry[] = cleanUpEntry($subtree);
      }
    }
    else {
      $attribute = $entry[$i];
      if ( $entry[$attribute]['count'] == 1 ) {
        $retEntry[$attribute] = $entry[$attribute][0];
      } else {
        for ( $j = 0; $j < $entry[$attribute]['count']; $j++ ) {
          $retEntry[$attribute][] = $entry[$attribute][$j];
        }
      }
    }
  }
  return $retEntry;
}

USAGE:

$info = ldap_get_entries($connect, $read);
$clean_info = Array();
foreach($info as $entry)
{
    $clean_info[] = cleanUpEntry($entry);
}

print_r($clean_info);

Output:

array(256) {
  ["uid=doe,ou=People,dc=example,dc=net"]=>
  array(3) {
    ["uid"]=>
    string(4) "doe"
    ["cn"]=>
    string(14) "John Doe"
    ["telephonenumber"]=>
    string(4) "1234"
  }
  ["uid=foo,ou=People,dc=example,dc=net"]=>
  ...

You may also consider using print_r($info) after calling ldap_get_entries() to see exactly what is in there.