• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1024
  • Last Modified:

How to create LDAP-to-AD filter to search DN

I have created a PHP script to query our Active Directory (via LDAP) and return relevant info on user accounts. Two questions:
1) When querying "distinguishedname", I get a good string of values back. When querying "dn", I only get back the letter "C" (and I see this in both PHP and ASP). (Interestingly, the "dn" string shows correctly in AD.)

2) Trying to construct a filter, based on info from (http://confluence.atlassian.com/display/DEV/How+to+write+a+LDAP+search+filter), results are not being returned... and I suspect it's because of the "dn" string in question #1.

Sample distinguishedName string for a student:
CN=Lyon0394,OU=2013,OU=Students,OU=Marcus Whitman,DC=skitsap,DC=wednet,DC=edu

The actual script itself works great ~ it's just the filtering piece that's not working. Full script below for your entertainment...

Thanks!!! :) Derry

//////////////////////// SCRIPT FOLLOWS //////////////////////////
<html>
<head>

<style>
table{font-size:90%}
</style>
</head>
<body>

<?php

require_once('lib.php');


$search = $_POST["search"];
$srchtype = $_POST["stype"];

// staff - no OU=Students
// student - must have OU=Students
// all - doesn't matter
if ($srchtype == "staff") {
  $filter = "(&(objectclass=user)(&(!(ou:dn:=Students))(cn=*$search*)))";
} else if ($srchtype == "student") {
  $filter = "(&(objectclass=user)(&(ou:dn:=Students)(cn=*$search*)))";
} else {
  $filter = "(&(objectclass=user)(cn=*$search*))";
}

//$filter = "(&(cn=*$search*)(objectclass=user))";
//$filter = "(&(objectclass=user)(ou:dn:=Students))";


// LDAP fields to return

$inforequired = array(
                  "cn",
                  "displayname",
                  "description",
                  "physicaldeliveryofficename",
                  "givenname",
                  "sn",
                  "mail","dn",
                  "distinguishedname");

// Build an LDAP connection
$ds=ldap_connect("ldaps://sksd01.skitsap.wednet.edu","636");  // must be a valid LDAP server!

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);

$r=ldap_bind($ds,"ldapuser","password_goes_here");

$sr=ldap_search($ds, "dc=skitsap,dc=wednet,dc=edu", $filter, $inforequired);  

$info = ldap_get_entries($ds,$sr);

// Print basic header info
echo "<P>Search term: $search</P>";
echo "<P>Search type: $srchtype</P>";
echo "<P>Search filter: $filter</P>";

if($info["count"] == 0) {
  echo "No info available";
} else {

  echo "<TABLE BORDER=1><TR><TH>Acct</TH><TH>Name</TH><TH>E-mail</TH><TH>Distinguished Name</TH><TH>Office</TH><TH>Description</TH><TH>DN</TH></TR>";

            for($i=0;$i<$info["count"];$i++)
            {
                  $row[$i] = "<tr>"
                   . "<td>" . $info[$i]["cn"][0]
                   . "<td>" . $info[$i]["displayname"][0]
                   . "<td>" . $info[$i]["mail"][0]
                   . "<td>" . $info[$i]["distinguishedname"][0]
                   . "<td>" . $info[$i]["physicaldeliveryofficename"][0]
                   . "<td>" . $info[$i]["description"][0]
                   . "<td>" . $info[$i]["dn"][0];

            }
            sort($row);
            for($i=0;$i<$info["count"];$i++) print $row[$i] . "\n";
}


ldap_close($ds);

?>
</table>
<INPUT type="submit" value="Close window" name=Submit onclick="window.close()">
</body>
</html>

0
DerryLyons
Asked:
DerryLyons
  • 4
  • 2
1 Solution
 
MSE-dwellsCommented:
What are you trying to accomplish with this syntax -

ou:dn:=Students

... it appears you're trying to specify some kind of matching rule but 'dn' is not a mnemonic (and obviously not an OID) that I'm familiar with.
0
 
DerryLyonsAuthor Commented:
Intent of    ou:dn:=Students   is to only include those entries that have an OU=Students.

The syntax is based on the link mentioned in the original post (conflence.atlassian.com)...

Thanks! :)
0
 
MSE-dwellsCommented:
I also noticed you're referring to 'dn' as part of the attribute return set -- 'dn' is not a valid ldapDisplayName ...
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MSE-dwellsCommented:
OK, so that's not a valid matching rule (at least for AD), 'OU=Students' will work just fine or not'd if necessary with a '!'.
0
 
DerryLyonsAuthor Commented:
OK, so I modified the filter to:
Search filter: (&(objectclass=user)(&(!(ou=Students))(cn=*lyon*)))
... but I still get both Students and non-Students...
CN=Lyon7267,OU=2019,OU=Students,OU=Orchard Heights,DC=skitsap,DC=wednet,DC=edu
CN=lyons,OU=Technology Staff,OU=Technology,DC=skitsap,DC=wednet,DC=edu
0
 
MSE-dwellsCommented:
Ohhhhh ... I see what you're trying to do (not sure how I mssed that at the outset) ... anyway, I'm afraid to say that's not going to work as part of a filter, period!  The OU property is not populated on user objects and, as such, cannot be queried.  In addition, since the distinguishedName property isn't returned as a string it cannot be queried using a simple medial string query such as 'distinguishedName=*Students*' -- so that's out.

The answer is that you have to filter the result set programmatically (i.e. filtering out any object whose DN, when treated as a string, does not contain OU=Students)

... or submit a onelevel scope at the domain head and iterate through the result set like this -

base=domain head
filter=objectcategory=organizationalUnit
scope=onelevel

  - for each OU in the result set, verify the OU value !=Students and perform your original query excluding the OU component on the filter
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now