How to create LDAP-to-AD filter to search DN

I have created a PHP script to query our Active Directory (via LDAP) and return relevant info on user accounts. Two questions:
1) When querying "distinguishedname", I get a good string of values back. When querying "dn", I only get back the letter "C" (and I see this in both PHP and ASP). (Interestingly, the "dn" string shows correctly in AD.)

2) Trying to construct a filter, based on info from (, results are not being returned... and I suspect it's because of the "dn" string in question #1.

Sample distinguishedName string for a student:
CN=Lyon0394,OU=2013,OU=Students,OU=Marcus Whitman,DC=skitsap,DC=wednet,DC=edu

The actual script itself works great ~ it's just the filtering piece that's not working. Full script below for your entertainment...

Thanks!!! :) Derry

//////////////////////// SCRIPT FOLLOWS //////////////////////////




$search = $_POST["search"];
$srchtype = $_POST["stype"];

// staff - no OU=Students
// student - must have OU=Students
// all - doesn't matter
if ($srchtype == "staff") {
  $filter = "(&(objectclass=user)(&(!(ou:dn:=Students))(cn=*$search*)))";
} else if ($srchtype == "student") {
  $filter = "(&(objectclass=user)(&(ou:dn:=Students)(cn=*$search*)))";
} else {
  $filter = "(&(objectclass=user)(cn=*$search*))";

//$filter = "(&(cn=*$search*)(objectclass=user))";
//$filter = "(&(objectclass=user)(ou:dn:=Students))";

// LDAP fields to return

$inforequired = array(

// Build an LDAP connection
$ds=ldap_connect("ldaps://","636");  // must be a valid LDAP server!

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);


$sr=ldap_search($ds, "dc=skitsap,dc=wednet,dc=edu", $filter, $inforequired);  

$info = ldap_get_entries($ds,$sr);

// Print basic header info
echo "<P>Search term: $search</P>";
echo "<P>Search type: $srchtype</P>";
echo "<P>Search filter: $filter</P>";

if($info["count"] == 0) {
  echo "No info available";
} else {

  echo "<TABLE BORDER=1><TR><TH>Acct</TH><TH>Name</TH><TH>E-mail</TH><TH>Distinguished Name</TH><TH>Office</TH><TH>Description</TH><TH>DN</TH></TR>";

                  $row[$i] = "<tr>"
                   . "<td>" . $info[$i]["cn"][0]
                   . "<td>" . $info[$i]["displayname"][0]
                   . "<td>" . $info[$i]["mail"][0]
                   . "<td>" . $info[$i]["distinguishedname"][0]
                   . "<td>" . $info[$i]["physicaldeliveryofficename"][0]
                   . "<td>" . $info[$i]["description"][0]
                   . "<td>" . $info[$i]["dn"][0];

            for($i=0;$i<$info["count"];$i++) print $row[$i] . "\n";


<INPUT type="submit" value="Close window" name=Submit onclick="window.close()">

Who is Participating?
Ohhhhh ... I see what you're trying to do (not sure how I mssed that at the outset) ... anyway, I'm afraid to say that's not going to work as part of a filter, period!  The OU property is not populated on user objects and, as such, cannot be queried.  In addition, since the distinguishedName property isn't returned as a string it cannot be queried using a simple medial string query such as 'distinguishedName=*Students*' -- so that's out.

The answer is that you have to filter the result set programmatically (i.e. filtering out any object whose DN, when treated as a string, does not contain OU=Students)

... or submit a onelevel scope at the domain head and iterate through the result set like this -

base=domain head

  - for each OU in the result set, verify the OU value !=Students and perform your original query excluding the OU component on the filter
What are you trying to accomplish with this syntax -


... it appears you're trying to specify some kind of matching rule but 'dn' is not a mnemonic (and obviously not an OID) that I'm familiar with.
DerryLyonsAuthor Commented:
Intent of    ou:dn:=Students   is to only include those entries that have an OU=Students.

The syntax is based on the link mentioned in the original post (

Thanks! :)
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

I also noticed you're referring to 'dn' as part of the attribute return set -- 'dn' is not a valid ldapDisplayName ...
OK, so that's not a valid matching rule (at least for AD), 'OU=Students' will work just fine or not'd if necessary with a '!'.
DerryLyonsAuthor Commented:
OK, so I modified the filter to:
Search filter: (&(objectclass=user)(&(!(ou=Students))(cn=*lyon*)))
... but I still get both Students and non-Students...
CN=Lyon7267,OU=2019,OU=Students,OU=Orchard Heights,DC=skitsap,DC=wednet,DC=edu
CN=lyons,OU=Technology Staff,OU=Technology,DC=skitsap,DC=wednet,DC=edu
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.