how can I get ALL LDAP entries?

Question

I know how to LDAP bind for authentication which uses search but what can I do if I want ALL of the entries of Full Names...So how can I get the Full names or emails of ALL the people??

Below I use LDAP bind for authentication and I can search for one person but what if I want them all?

<?php

// using ldap bind
$ldaprdn  = 'uname';     // ldap rdn or dn
$ldappass = 'password';  // associated password

// connect to ldap server
$ldapconn = ldap_connect("ldap.example.com")
    or die("Could not connect to LDAP server.");

if ($ldapconn) {

    // binding to ldap server
    $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);

    // verify binding
    if ($ldapbind) {
        echo "LDAP bind successful...";
    } else {
        echo "LDAP bind failed...";
    }

}

?>

This is some MySQL code I have that populates an html list:

<ol>     

<?php
mysql_connect("kool", "ohjoa", "sampa") or die(mysql_error());
mysql_select_db("DBtest") or die(mysql_error());

$query = "SELECT * FROM EditOnCall"; 

$result = mysql_query($query) or die(mysql_error());


while($row = mysql_fetch_array($result)){
    echo "<li>".$row['Email']."</li>";
    echo "<br />";
}


?>

</ol>

Now this displays a html list of emails. What I want to do is the same thing with LDAP except display the Full Name of all the ldap users in a directory...MY LDAP only has 200 people in it so its not too big.

Any Ideas?

Answer 1

A bind is one type of LDAP request, and a search is another type of request. A bind establishes the authentication state of a connection, and a search uses a base object, a scope, a filter, and other optional parameters to build a candidate list of entries which are filtered and returned to the LDAP client. The authentication state of the connection will also establish certain access capabilities such as which entries can be retrieved, how many entries can be retrieved in a search, how much time is spent on a search, how many entries should be examined in the process of fulfilling a search request, and other capabilities. Without using the root DN, it may not be possible to retrieve all entries in a directory, and your LDAP administrator may forbid non-root DN authentication states from retrieving more than a few entries. For more information about search, see " LDAP: Using ldapsearch ". For more general information about programming with LDAP, see "LDAP: Programming Practices" . For more detailed information see LDAP Search Best Practices .

With regard to filters, an asterisk is not a wildcard in the sense described (cn=*) . This is known as a presence filter and indicates whether the attribute used in the assertion - in this case cn - is present in an entry when filtering the candidate list. The asterisk can be used as part of a substring filter, for example, (cn=abc*) or (mail=user@example*) .

In any case, substring filters should be avoided where possible in large directories, are probably forbidden anyway, as would be 'trawling' the directory.

Answer 2

This is not about how you bind, it's about how you search. You need to learn about LDAP filters (this link relates to AD but all the information in it can be applied to any LDAP node).

You can use * as a wildcard in an LDAP filter. Say you wanted to get all the objects of objectClass=User which are identified by an attribute cn from a root container called cn=Users - you would do this:

$searchResult = ldap_search($ldapconn,'cn=Users','(&(objectClass=User)(cn=*))',array('cn','guid'));

The only way that the way you bind can affect this principle is if the user you use to bind does not have permissions to access the objects you are looking for in the directory.

If you show some more code of exactly what you are trying to do, I will edit this answer with more detail.