How to create LDAP-to-AD filter to search DN

Posted on 2007-10-10
Last Modified: 2009-07-29
I have created a PHP script to query our Active Directory (via LDAP) and return relevant info on user accounts. Two questions:
1) When querying "distinguishedname", I get a good string of values back. When querying "dn", I only get back the letter "C" (and I see this in both PHP and ASP). (Interestingly, the "dn" string shows correctly in AD.)

2) Trying to construct a filter, based on info from (, results are not being returned... and I suspect it's because of the "dn" string in question #1.

Sample distinguishedName string for a student:
CN=Lyon0394,OU=2013,OU=Students,OU=Marcus Whitman,DC=skitsap,DC=wednet,DC=edu

The actual script itself works great ~ it's just the filtering piece that's not working. Full script below for your entertainment...

Thanks!!! :) Derry

//////////////////////// SCRIPT FOLLOWS //////////////////////////




$search = $_POST["search"];
$srchtype = $_POST["stype"];

// staff - no OU=Students
// student - must have OU=Students
// all - doesn't matter
if ($srchtype == "staff") {
  $filter = "(&(objectclass=user)(&(!(ou:dn:=Students))(cn=*$search*)))";
} else if ($srchtype == "student") {
  $filter = "(&(objectclass=user)(&(ou:dn:=Students)(cn=*$search*)))";
} else {
  $filter = "(&(objectclass=user)(cn=*$search*))";

//$filter = "(&(cn=*$search*)(objectclass=user))";
//$filter = "(&(objectclass=user)(ou:dn:=Students))";

// LDAP fields to return

$inforequired = array(

// Build an LDAP connection
$ds=ldap_connect("ldaps://","636");  // must be a valid LDAP server!

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);


$sr=ldap_search($ds, "dc=skitsap,dc=wednet,dc=edu", $filter, $inforequired);  

$info = ldap_get_entries($ds,$sr);

// Print basic header info
echo "<P>Search term: $search</P>";
echo "<P>Search type: $srchtype</P>";
echo "<P>Search filter: $filter</P>";

if($info["count"] == 0) {
  echo "No info available";
} else {

  echo "<TABLE BORDER=1><TR><TH>Acct</TH><TH>Name</TH><TH>E-mail</TH><TH>Distinguished Name</TH><TH>Office</TH><TH>Description</TH><TH>DN</TH></TR>";

                  $row[$i] = "<tr>"
                   . "<td>" . $info[$i]["cn"][0]
                   . "<td>" . $info[$i]["displayname"][0]
                   . "<td>" . $info[$i]["mail"][0]
                   . "<td>" . $info[$i]["distinguishedname"][0]
                   . "<td>" . $info[$i]["physicaldeliveryofficename"][0]
                   . "<td>" . $info[$i]["description"][0]
                   . "<td>" . $info[$i]["dn"][0];

            for($i=0;$i<$info["count"];$i++) print $row[$i] . "\n";


<INPUT type="submit" value="Close window" name=Submit onclick="window.close()">

Question by:DerryLyons
    LVL 9

    Expert Comment

    What are you trying to accomplish with this syntax -


    ... it appears you're trying to specify some kind of matching rule but 'dn' is not a mnemonic (and obviously not an OID) that I'm familiar with.

    Author Comment

    Intent of    ou:dn:=Students   is to only include those entries that have an OU=Students.

    The syntax is based on the link mentioned in the original post (

    Thanks! :)
    LVL 9

    Expert Comment

    I also noticed you're referring to 'dn' as part of the attribute return set -- 'dn' is not a valid ldapDisplayName ...
    LVL 9

    Expert Comment

    OK, so that's not a valid matching rule (at least for AD), 'OU=Students' will work just fine or not'd if necessary with a '!'.

    Author Comment

    OK, so I modified the filter to:
    Search filter: (&(objectclass=user)(&(!(ou=Students))(cn=*lyon*)))
    ... but I still get both Students and non-Students...
    CN=Lyon7267,OU=2019,OU=Students,OU=Orchard Heights,DC=skitsap,DC=wednet,DC=edu
    CN=lyons,OU=Technology Staff,OU=Technology,DC=skitsap,DC=wednet,DC=edu
    LVL 9

    Accepted Solution

    Ohhhhh ... I see what you're trying to do (not sure how I mssed that at the outset) ... anyway, I'm afraid to say that's not going to work as part of a filter, period!  The OU property is not populated on user objects and, as such, cannot be queried.  In addition, since the distinguishedName property isn't returned as a string it cannot be queried using a simple medial string query such as 'distinguishedName=*Students*' -- so that's out.

    The answer is that you have to filter the result set programmatically (i.e. filtering out any object whose DN, when treated as a string, does not contain OU=Students)

    ... or submit a onelevel scope at the domain head and iterate through the result set like this -

    base=domain head

      - for each OU in the result set, verify the OU value !=Students and perform your original query excluding the OU component on the filter

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Both Easy and Powerful How easy is PHP? (  Very easy.  It has been described as "a programming language even my grandmother can use." How powerful is PHP?  http://en.wikiped…
    Things That Drive Us Nuts Have you noticed the use of the reCaptcha feature at EE and other web sites?  It wants you to read and retype something that looks like this.Insanity!  It's not EE's fault - that's just the way reCaptcha works.  But it is …
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    The viewer will learn how to dynamically set the form action using jQuery.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now