Diese Seite bei php.net
The PHP manual text and comments are covered by the Creative Commons Attribution 3.0 License © the PHP Documentation Group - Impressum - mail("TO:Reinhard Neidl",...)
(PHP 4, PHP 5)
ldap_search — Suche im LDAP Baum
Rückgabewert: eine Such-Ergebnis-Kennung im Erfolgsfall, FALSE im Fehlerfall.
Die ldap_search() Funktion führt die Suche für einen gegebenen Filter im Verzeichnis mit der Reichweite von LDAP_SCOPE_SUBTREE durch. Das ist äquivalent zu einer Suche im ganzen Verzeichnis.base_dn legt den Basis DN für das Verzeichnis fest.
Der optionale vierte Parameter kann benutzt werden, um die Rückgabewerte des Servers so einzuschränken, dass nur die tatsächlich benötigten Merkmale und ihre zugehörigen Werte in der Ergebnismenge enthalten sind. Dieses Vorgehen ist um einiges effizienter als die standardmäßige Vorgehensweise (diese liefert alle Merkmale und alle zugehörigen Werte). Aus diesem Grund ist die Angabe des vierten Parameters als gute Praxis zu empfehlen.
Der vierte Parameter ist ein Standard PHP Array aus Strings der benötigten Merkmale, z.B. array("mail","sn","cn"). Beachten Sie, dass der "dn" immer zurückgeliefert wird, ohne Rücksicht darauf, welche Merkmalstypen angefragt wurden.
Beachten Sie weiterhin, dass manche Verzeichnis-Server so konfiguriert sind, dass sie nicht mehr als eine vorbestimmte Anzahl an Einträgen zurückliefern. Sollte dies der Fall sein, zeigt Ihnen der Server an, dass nur eine Teilmenge des Ergebnisses zurückgeliefert wurde. Diesen Hinweis erhalten Sie auch, wenn Sie den sechsten Parameter größenbegrenzung mit angegeben hatten, um die Anzahl der angefragten Einträge einzuschränken.
Der fünfte Parameter nur_werte sollte auf 1 gesetzt werden, wenn Sie nur Merkmalstypen erhalten möchten. Wenn der Wert auf 0 steht, erhalten Sie sowohl Merkmalstypen als auch Merkmalswerte. Das ist das Standard Verhalten.
Mit dem sechsten Parameter größenbegrenzung ist es möglich, die Anzahl der Einträge, die Sie erhalten, zu begrenzen. Wenn Sie diesen Wert auf 0 setzen, bedeutet dies keine Beschränkung der Ergegnismenge. ANMERKUNG: Dieser Parameter kann eine serverseitig gesetzte Beschränkung NICHT überschreiben. Sie haben nur die Möglichkeit die Beschränkung noch weiter herabzusetzen.
Der siebte Parameter zeitbegrenzung legt die Zahl in Sekunden fest, die auf die Suche verwendet wird. Wenn Sie diesen Wert auf 0 setzen, bedeutet dies keine Beschränkung der Zeit. ANMERKUNG: Dieser Parameter kann eine serverseitig gesetzte Zeitbegrenzung NICHT überschreiben. Sie haben nur die Möglichkeit die Beschränkung noch weiter herabzusetzen.
Der achte Parameter deref gibt an, wie Aliase während einer Suche behandelt werden. Wert kann einer der folgenden sein:
Hinweis:
Diese optionalen Parameter wurden in 4.0.2 hinzugefügt: nur_werte, größenbegrenzung, zeitbegrenzung, deref.
Der Suchfilter kann einfach oder kompliziert sein, wenn sie boolsche Operatoren in dem Format verwenden, wie in der LDAP Dokumentation beschrieben (siehe » Netscape Directory SDK für die vollständige Information über Filter).
Das untenstehende Beispiel liefert die Organisationseinheit, den Familiennamen, den Vornamen und die Email-Addresse aller Personen in "Meine Firma" deren Familien- oder Vorname die Zeichenkette $person enhält. In diesem Beispiel wird ein boolscher Filter verwendet, um den Server zu veranlassen, nach Informationen in mehr als einem Merkmal zu suchen.
Beispiel #1 LDAP Suche
// $ds gültige Verbindungs-Kennung für einen Verzeichnis-Server
// $person ein Teil oder der vollständige Name einer Person, z.B. "Jo"
$dn = "o=Meine Firma, c=DE";
$filter="(|(sn=$person*)(vorname=$person*))";
$justthese = array( "ou", "sn", "vorname", "mail");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
print $info["count"]." gefundene Einträge<p>";
Seit der Version 4.0.5 ist es außerdem möglich parallele Suchen durchzuführen. Um dies zu verwirklichen benutzen Sie als erstes Argument einen Array von Verbindungs-Kennungen, statt einer einzelnen Verbindungs-Kennung. Falls Sie nicht den gleichen Basis DN und den gleichen Filter für alle Suchen verwenden möchten, können Sie ebenso einen Array von Basis DNs und/oder einen Array von Filtern benutzen. Diese Arrays müssen die gleiche Größe wie das Array der Verbindungs-Kennungen haben, da die ersten Einträge der Arrays für eine Suche verwendet werden, die zweiten Einträge für eine andere Suche und so weiter. Wenn Sie parallel suchen erhalten Sie ein Array von Such-Ergebnis-Kennungen, außer im Fall eines Fehlers, dann liefert der Eintrag zur entsprechenden Suche FALSE zurück. Das entspricht ganz genau dem Wert der normalerweise zurückgeliefert wird, außer dass Sie immer eine Ergebnis-Kennung erhalten, wenn Sie eine Suche durchgeführt haben. Es treten einige seltene Fälle auf, wo eine normale Suche FALSE zurückgibt, während die parallele Suche eine Kennung zurückliefert.
To get all attributes + special attributes:
<?php
ldap_search(..., $filter, array('*','createtimestamp','modifytimestamp'));
?>
* -> all attributes (normally requested by default)
+
the special attributes you want
Following from my note of 11-Nov-2009 06:56 regarding DN issues when using LDAP instead of the Global Catalog when querying AD, further investigation was showing that although the results were in the packet, I was getting an error instead:
'Search: Can't contact LDAP server' AKA Error 81.
Using more detailed analysis:
ldap_get_option($ds,LDAP_OPT_ERROR_STRING,$error);
echo $error
Displayed:
Referral: ldap://DomainDnsZones.defg.de.bc.ac.uk/ DC=DomainDnsZonesDC=defg,DC=de,DC=abc,DC=ac,DC=uk
By using trial and error, the error went away and results returned when using:
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
When searching Active Directory, if you are not getting all the attributes back you are expecting such as AD system/hidden attributes such as 'employeeType' then check the following:
First, ensure you are not connecting to the Global Catalog port (e.g. 3269/3268). You need to connect to an LDAP port such as 636 (SSL) or 389 (non-SSL).
Second, check the DN you are binding with when changing from the Global Catalog port to an LDAP port. I found that a DN without an OU returned a 'Search: Can't contact LDAP server' error. For example this fails:
DC=defg,DC=de,DC=abc,DC=ac,DC=uk
Whilst adding the OU to the DN returned an error free result:
OU=FGH,DC=defg,DC=de,DC=abc,DC=ac,DC=uk
If you consequently need to interrogate multiple DNs then an array of DNs can be passed to ldap_search.
Example to illustrate searching more than one DN (multiple DNs):
<?php
$ds=ldap_connect($ldapserver);
$dn[]='OU=ABC,DC=xyz,DC=ac,DC=uk';
$dn[]='OU=DEF,DC=xyz,DC=ac,DC=uk';
$id[] = $ds;
$id[] = $ds;
$filter = 'samaccountname='.$_POST['username'];
$result = ldap_search($id,$dn,$filter);
$search = false;
foreach ($result as $value) {
if(ldap_count_entries($ds,$value)>0){
$search = $value;
break;
}
}
if($search){
$info = ldap_get_entries($ds, $search);
}else{
$info = 'No results found';
}
?>
This function accepts LDAP search results and return a flat table (2-d array) with search results.
<?php
/*
* This function returns flat table out of search results
* $ad - a valid connection to Active Directory (returned by ldap_connect)
* $sr - a search result (returned by ldap_search)
* $key- an attribute name to be used as the key in the resulting array
* Returns 2-d array as the following:
* return_value["keyfieldvalue"]["attributename"] = "attribute value"; // entries with key filed present
* return_value[i]["attributename"] = "attribute value"; // entries with key fields missing
*/
function ldap_flatresults($ad,$sr,$key=false) {
for ($entry=ldap_first_entry($ad,$sr);
$entry!=false;
$entry=ldap_next_entry($ad,$entry)) {
$user = array();
$attributes = ldap_get_attributes($ad,$entry);
for($i=$attributes['count'];$i-- >0;) {
$user[strtolower($attributes[$i])] = $attributes[$attributes[$i]][0];
}
if( $key && $user[$key] )
$users[strtolower($user[$key])] = $user;
else
$users[] = $user;
}
return $users;
}
?>
As of today, I have found for me that ldap_search and ldap_list are reversed in functionality. ldap_list now searches the subtree and ldap_search does not. This is witnessed when searching against an AD forest running on Windows 2008 in what I believe is 2003 mode.
Here's an example of how to connect to an active directory (2003 windows ad tested). And retrieve a specific person's information when given only their username (sAMAccountName). Note: I have noticed that some active directory servers do care about what case the attributes are in and others don't. This site was very useful in looking up the AD attributes but I did have to lowercase them all to work for me.
Do a google search on "active directory person attributes" to find the site. www.computerperformance.co.uk
I doubt the code below will work for everybody as is but it should give ad users a good start in how to get a logged in user's data without knowing what organization or security group they're in. This was needed because my company didn't put all their users in the same organization.
<?PHP
$ldap_url = 'examplead.mycomp.com';
$ldap_domain = 'mycomp.com';
$ldap_dn = "dc=mycomp,dc=com";
$ds = ldap_connect( $ldap_url );
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$username = "your_user_name_here";
//must always check that password length > 0
$password = "your_password_here";
// now try a real login
$login = ldap_bind( $ds, "$username@$ldap_domain", $password );
echo '- Logged In Successfully<br/><br/>';
try{
$attributes = array("displayname", "mail",
"department",
"title",
"physicaldeliveryofficename",
"manager");
$filter = "(&(objectCategory=person)(sAMAccountName=$username))";
$result = ldap_search($ds, $ldap_dn, $filter, $attributes);
$entries = ldap_get_entries($ds, $result);
if($entries["count"] > 0){
//echo print_r($entries[$i],1)."<br />";
echo "<b>User Information:</b><br/>";
echo "displayName: ".$entries[0]['displayname'][0]."<br/>";
echo "email: ".$entries[0]['mail'][0]."<br/>";
echo "department: ".$entries[0]['department'][0]."<br/>";
echo "title: ".$entries[0]['title'][0]."<br/>";
echo "office: ".$entries[0]['physicaldeliveryofficename'][0]."<br/>";
//echo "manager: ".$entries[$i]['manager'][0]."<br/>";
$manager_result = ldap_search($ds,
$entries[0]['manager'][0],
'(objectCategory=person)',
array("displayname"));
$manager_entries = ldap_get_entries($ds, $manager_result);
if($manager_entries["count"] > 0){
echo "manager: ". $manager_entries[0]['displayname'][0];
}
}
}catch(Exception $e){
ldap_unbind($ds);
return;
}
ldap_unbind($ds);
echo '<br/><br/>- Logged Out';
?>
A better ldap_escape, if you don't need nested filters such as those in the Pear package. Escapes for both filters and distinguished names.
<?php
function ldap_escape($str, $for_dn = false)
{
// see:
// RFC2254
// http://msdn.microsoft.com/en-us/library/ms675768(VS.85).aspx
// http://www-03.ibm.com/systems/i/software/ldap/underdn.html
if ($for_dn)
$metaChars = array(',','=', '+', '<','>',';', '\\', '"', '#');
else
$metaChars = array('*', '(', ')', '\\', chr(0));
$quotedMetaChars = array();
foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.str_pad(dechex(ord($value)), 2, '0');
$str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
return ($str);
}
?>
Please note, that your example is not fully implementing filter escaping needs and is thus not safe for every case (see RFC 2254).
Filter stuff is also available in pears Net_LDAP: http://pear.php.net/manual/en/package.networking.net-ldap.filter.php
With this class you can easily create nested filters without worrying for escaping issues (those are handled by the class itnernally in a rfc compatible maner).
// Escape string
// see: RFC2254
function ldap_escape($str){
$metaChars = array('\\', '(', ')', '#', '*');
$quotedMetaChars = array();
foreach ($metaChars as $key => $value) $quotedMetaChars[$key] = '\\'.dechex(ord($value));
$str=str_replace($metaChars,$quotedMetaChars,$str); //replace them
return ($str);
}
Here are a couple of resources for proper construction of filters.
http://msdn2.microsoft.com/En-US/library/aa746475.aspx
http://technet.microsoft.com/en-us/library/aa996205.aspx
Before finding these I had been stumped for hours on how to do something like "all users starting with "a" except those from OU 'foo'"
LDAP stuff is very nicely capsulated in the object oriented Net_LDAP class provided by PEAR:
http://pear.php.net/package/net_ldap
When I discovered I couldn't get searches to work with complex strings (in my case searching on displayName which can have parens and slashes in it). I made this quick function to quote ldap strings in accordance with the RFC. Except I encode spaces as well since searching wouldn't work with spaces. Note, technically speaking a search filter can be encoded into the \xx format for all characters but then filters wouldn't be human readable.
I'm somewhat surprised there wasn't a built in ldap_quote() type of function already.
<?php
// see: RFC2254
function ldap_quote($str) {
return str_replace(
array( '\\', ' ', '*', '(', ')' ),
array( '\\5c', '\\20', '\\2a', '\\28', '\\29' ),
$str
);
}
?>
I just posted on the ldap_bind, but I figured it couldn't hurt here since this was the first place I stopped when trying to figure out my problem. My error pointed to ldap_search, but specifying the ldap_connect port was the fix.
When you want to search the entire directory for MS AD, you must specify port 3268 in your bind. This is also true for apache auth_ldap.
$ldapserver = ldap_connect($server,3268);
I had problem searching into Microsoft Active Directory
with ldap_search.
System administrator does not want to change the 1.000 limit
of returned result because of Domain Controler performance.
Here is a example of code that activates the Page Mode.
See "searching with ActiveX Data Objects (ADO)" on MSDN
for more details.
$connection = New COM("ADODB.Connection");
$commande = New COM("ADODB.Command");
$resultat = New COM("ADODB.Recordset");
$connection->Provider = "ADsDSOObject";
$connection->Open();
$commande->ActiveConnection = $connection ;
$commande->Properties["Cache results"] = false;
// ACTIVATE PAGE MODE
$commande->Properties["Page size"] = 1000;
$recherche1 = "<LDAP://OU=XXXX,OU=Ressources_Locales,DC=COMMUN,
DC=AD,DC=YYYY,DC=FR>";
$recherche2 = ";(&(objectCategory=group)
(sIDHistory=*));distinguishedname;subtree";
$commande->commandtext = $recherche1.$recherche2;
$resultat = $commande->Execute();
$count = 0;
while (!$resultat->eof())
{
if ($count<10)
echo $resultat["distinguishedname"]."<br>";
$resultat->MoveNext();
$count = $count +1;
}
echo $count."<br>";
I was completely lost trying to setup LDAP access with a Windows Server 2003 environment, but I finally got it to work. Here's a lifesaving tip:
-Script/web server cannot be located on the Active Directory server that you are querying
As well, here's the sample code I used:
<?php
//This code cannot be executed on the same server as AD is installed on!!!
//Connect
$ad = ldap_connect("ad server");
//Set some variables
ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ad, LDAP_OPT_REFERRALS, 0);
//Bind to the ldap directory
$bd = ldap_bind($ad,"user@domain.com","password")
or die("Couldn't bind to AD!");
//Search the directory
$result = ldap_search($ad, "OU=orginizational unit,DC=domain,DC=com", "(CN=*)");
//Create result set
$entries = ldap_get_entries($ad, $result);
//Sort and print
echo "User count: " . $entries["count"] . "<br /><br /><b>Users:</b><br />";
for ($i=0; $i < $entries["count"]; $i++)
{
echo $entries[$i]["displayname"][0]."<br />";
}
//never forget to unbind!
ldap_unbind($ad);
?>
If you are just trying to run LDAP searches against Active Directory, you might find it easier to use the COM objects and use the ADSI ldap search function. This allows you to use SQL based LDAP queries. It also allows you to perform subtree level searches in AD.
Here is a quick example.
<?php
$Conn = New COM("ADODB.Connection");
$RS = New COM("ADODB.Recordset");
$Conn->Provider = "ADsDSOObject";
$Conn->Properties['User ID'] = "CN=ZimZam,CN=Users,DC=corp,DC=ad,DC=bob,DC=prv";
$Conn->Properties['Password'] = "anythingyouwant";
$strConn = "Active Directory Provider";
$Conn->Open($strConn);
$strRS = "Select givenname,sn,displayName,mail,SAMAccountName from 'LDAP://corp.ad.bob.prv/DC=corp,DC=ad,DC=bob,DC=prv' where objectClass='user' and SAMAccountName='abc123';
$RS->Open($strRS, $Conn, 1, 1);
echo $RS['givenname'] ." - ". $RS['sn'] ." - ". $RS['displayName'] ." - ". $RS['mail'] ." - ". $RS['SAMAccountName'] ."<br>";
$RS->Close;
$Conn->Close;
?>
HOWTO list LDAP users.
This CODE list one user from LDAP tree, but I' like list all user from LDAP one ou=Organization
<?php
$ldaprdn = 'cn=user,dc=domain,dc=org';
$ldappass = 'password';
$sdn = 'cn=user,ou=group,dc=domain,dc=org';
$ldapconn = ldap_connect("ldap://localhost", 389)
or die("Not connect: $ldaphost ");
if ($ldapconn) {
// binding to ldap server
$ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass);
// verify binding
if ($ldapbind) {
$filter="uid=*";
$justthese = array("uid");
$sr=ldap_read($ldapconn, $srdn, $filter, $justthese);
$entry = ldap_get_entries($ldapconn, $sr);
} else {
echo "LDAP conn ok...";
}
}
ldap_close($ldapconn);
?>
<?php
echo $entry[0]["mail"][0] . " mail adress ";
echo $entry[0]["sn"][0] . " Name ";
?>
The internal attributes (like createTimestamp, modifyTimestamp, etc), don't come by default (when the optional parameter attributes is not set). You have to specify it:
<?
$r=ldap_search($ds,$base,$filter,array("createTimestamp"));
?>
It appears that the Netscape Directory SDK (developer.netscape.com) referenced for LDAP filter information is no longer accepting connections. The A copy of RFC 2254 which defines the standard for string representations of LDAP filters can be found at http://www.ietf.org/rfc/rfc2254.txt
PHP 4.3.10
I was trying to do an ldapsearch without a basedn. First, I tried with ' ', as suggested above, but it gave me invalid dn syntax error.
ie:
$sr=ldap_search($ds, ' ', $filter);
Warning: ldap_search(): Search: Invalid DN syntax in ...
Then I changed it to
$sr=ldap_search($ds, "", $filter);
Which gave me the following error:
Warning: ldap_search(): Search: No such object in ...
With that I then modified my ldap.conf file and commented out the BASE field
#BASE dc=example, dc=com
Then it worked!
So it looks like if you supply a blank basedn, then it will use your default basedn in ldap.conf.
I was doing a ldap_search with
$searchbasedn = "miDomainName=" . $_SESSION['selectDomain'] ."," . LDAP_DOMAINBASE;
$filter = "(&(mpsAccountNumber=". $acctNumber .")(objectclass=mpsAccountDetails))";
$attributes = array("mpsparentchild");
$sr = ldap_search($ldapconn, $searchbasedn, $filter,$attributes);
For some reasone this search was failing
but I was able to do successful search only when I gave the search filter as
$filter = "(&(mpsAccountNumber= $acctNumber )(objectclass=mpsAccountDetails))";
I did not get why the ldap_search was not able to search in the first case.
In order to perform the searches on Windows 2003 Server Active Directory you have to set the LDAP_OPT_REFERRALS option to 0:
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
Without this, you will get "Operations error" if you try to search the whole AD schema (using root of the domain as a $base_dn).
As opposed to Windows 2000 Server, where this option was optional and only increased the performance.
If you are searching active directory and are experiencing lag or time outs, it may be that you are being given ldap referrals from the ldap server. The following code will disable this.
<?
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
?>
When searching for BINARY data (such as an Active Directory objectGUID) you need to escape each hexadecimal character with a backslash.
The following command line run of ldapsearch shows:
ldapsearch -b "dc=blahblah,dc=com" "(objectGUID=\AE\C3\23\35\F7)"
In PHP, you need to escape the escape for the backslash:
ldap_search($ds,"dc=blahblah,dc=com", "(objectGUID=\\AE\\C3\\23\\35\\F7)");
it seems that all fields must be used in lower case even if they are mixed case in the ldapsearch output.
example:
gidNumber: 1010
homeDirectory: /home/dnt
must be:
echo "gid: " . $info[$i]["gidnumber"][0] . "<br>";
echo "home directory: ". $info[$i]["homedirectory"][0] ."<br>";
not ( $info[$i]["homeDirectory"][0] ) etc.
Here is a little script that make a complete subtree search ( i know a script above seems do that but it doesnt work fine)
This is my version:
Voila ce que j'ai fait aujourd'hui ...
$ldap_host = "192.168.0.50";
$ldap_port = "389";
$base_dn = "dc=fr";
$filter = "(cn=*)";
$ldap_user ="cn=admin,dc=fr";
$ldap_pass = "hellodelu";
$connect = ldap_connect( $ldap_host, $ldap_port);
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass);
$read = ldap_search($connect, $base_dn, $filter);
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entrees retournees<BR><BR>";
for($ligne = 0; $ligne<$info["count"]; $ligne++)
{
for($colonne = 0; $colonne<$info[$ligne]["count"]; $colonne++)
{
$data = $info[$ligne][$colonne];
echo $data.":".$info[$ligne][$data][0]."<BR>";
}
echo "<BR>";
}
ldap_close($connect);
--------
nicolas
Minor clarification on AD LDAP searchs. Small typo in previous example, and does not display multiple values per attribute. Here's the for loop to enumerate all entries, attributes, and values:
$bind = ldap_bind($connect) // asume anon connect or add user/pass
or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<br>";
// $i = entries
// $ii = attributes for entry
// $iii = values per attribute
for ($i = 0; $i<$info["count"]; $i++) {
for ($ii=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
for ($iii=0; $iii<$info[$i][$data]["count"]; $iii++) {
echo $data.": ".$info[$i][$data][$iii]."<br>";
}
}
echo "<p>"; // separate entries
To do subtree search from top DN in Active Directory, Make sure you do your ldap_set_option().
<?php
$ldap_host = "pdc.php.net";
$base_dn = "DC=php,DC=net";
$filter = "(cn=Joe User)";
$ldap_user = "CN=Joe User,OU=Sales,DC=php,DC=net";
$ldap_pass = "pass";
$connect = ldap_connect( $ldap_host, $ldap_port)
or exit(">>Could not connect to LDAP server<<");
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
$bind = ldap_bind($connect, $ldap_user, $ldap_pass)
or exit(">>Could not bind to $ldap_host<<");
$read = ldap_search($connect, $base_dn, $filter)
or exit(">>Unable to search ldap server<<");
$info = ldap_get_entries($connect, $read);
echo $info["count"]." entries returned<p>";
$ii=0;
for ($i=0; $ii<$info[$i]["count"]; $ii++){
$data = $info[$i][$ii];
echo $data.": ".$info[$i][$data][0]."<br>";
}
ldap_close($connect);
?>
When I tried to search with empty base DN on OpenLDAP server which had "" namingContext I got result "no such object". In the log file there was query for dn: dc=example,dc=com (!).
As a workaround, it seems it's enough to feed it with space (' ') as base DN - ldap_search($ds, ' ', '(...filter...)', ...
A previous comment noted: "I've also noticed that the departmentNumber, employeeNumber (and maybe others in inetorgperson.schema) are not returned from a search."
This is incorrect. These attributes are returned, but you must reference them with lowercase names. That is, instead of doing this:
$entries[0]["departmentNumber"][0]
Do this:
$entries[0]["departmentnumber"][0]
This doesn't seem like "correct" behavior to me, but I don't know enough about LDAP to say for sure.
It might be useful to list here the operators that work:
= - matches exact value
=*xxx - matches values ending xxx
=xxx* - matches values beginning xxx
=*xxx* - matches values containing xxx
=* - matches all values (if set - NULLS are not returned)
>=xxx - matches everthing from xxx to end of directory
<=xxx - matches everything up to xxx in directory
~=xxx - matches similar entries (not all systems)
Boolean operators for constructing complex search
&(term1)(term2) - matches term1 AND term2
| (term1)(term2) - matches term1 OR term2
!(term1) - matches NOT term1
&(|(term1)(term2))(!(&(term1)(term2)) - matches XOR term1 term2
some of the more compelx constructions seem to work with varying degrees of efficiency - sometimes it can be better to filter some of the results with the search and do further filtering in PHP.
implode(", ",$uentry[0]["rfc822mailalias"]);
doesn't work as expected because "count" is in there... one /must/ use the 'for' loop to cycle through results (discarding "count" element).
I've found that spaces need to be escaped in search filters ("\20"), at least using the Red Hat PHP 4.1.2 package. Otherwise no results are returned.
Try to use ldap_list(), if possible. It is much faster. ldap_search searches a scope of LDAP_SCOPE_SUBTREE, but ldap_list searches a scope of just LDAP_SCOPE_ONELEVEL. This made a big difference on Novell eDirectory 8.6.1, even for a query that only returned 130 objects. Using an attribute list, the 4th function parameter (of either function), also made queries faster.
I used the following to retrieve all entries from an ILS (Netmeeting) Server:<p> $sr=ldap_search($ds, "objectclass=rtperson","(&(cn=%)(objectclass=rtperson))");
<p>Have fun!
<p>Kees
FYI, for those doing LDAP searches on Exchange servers, there seems to be some preference in Exchange to disallow searches that aren't initial searches (i.e. only x* will work, not * or *x). I'd been going nuts trying to figure out why I kept getting errors doing * searches.
More info at:
http://www.microsoft.com/Exchange/en/55/help/documents/server/XOG16007.HTM
Be careful of special characters when generating filters from user input.
*, (, ), \ and NUL should be backslash-escaped. See section 4 of RFC 2254 (I found it here:
http://www.cis.ohio-state.edu/htbin/rfc/rfc2254.html)
Diese Seite bei php.net