Why does php ldap_search return different attributes within the same query?

Question

I am running a query of Active Directory via ldap_search and returning ldap_get_entries attempting to get LastLogin, whenCreated, pwdLastSet.

The first user returned does not have the indexes (returned about 42 attributes) but the second does (returned about 75 attributes). In the total set many do and many don't have the wanted fields. I have been unable to determine any difference in the accounts.

They are in the same OU and show the same attributes in the Attributes tab in MMC and have data in the values, I have set the fields array to empty to return all, I have tried both port 3268 and 389 and connect with ldap//. I even tried querying the GC holder vs non GC holder but got the same results.

DC is Windows Server 2016 and PHPv7 with Apache2.

$dc = 'domain controller';
$ds = ldap_connect('ldap//' . $dc . ':389');
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

$ldap_bind = ldap_bind($ds, $ldap_un, $ldap_pwd);

$dn = "OU=$parent_ou,DC=<domain>,DC=com";

$filter = '';
$fields = array();
$attrs_only = 0; # default
$size_limit = 0; # unlimited
$time_limit = 0; # no limit
$deref = 0;

$sr = ldap_search($ds, $dn, $filter, $attrs_only, $size_limit, $time_limit, $deref);

$arr_entries = ldap_get_entries($sr);

Query connects, binds, and returns >500 entries.

I expected the same attributes to be returned for each entry even it they returned NULL (not_set) but even with data present they are returning differently.

Can anyone help me to determine why and how to correct it?

Thanks in advance.

Answer 1

Seems the problem was permissions. Apparently the account I was using to bind with did not have sufficient rights to get the data. Now I have to find out why it is that way on two of three servers. More information at AD Access Control .

Thanks for the help.