Home > Software engineering >  Retrieve AD groups of a user in PHP
Retrieve AD groups of a user in PHP

Time:11-21

I'm trying to get the group list to which the authenticated user belongs. Http server is Apache2, and I'm binding to an Active Directory server.

As far as I know, the only way I can do it is by getting all the groups that happen to have that user in its member attribute.

By doing this:

$groups = ldap_list($ldap, 'OU=Groups,DC=server,DC=com', '(objectClass=group)', ['cn']);

It works perfectly well, I get all the group names in $groups. So far so good.

Now, after making sure the authenticated user (say userdp08) is in the member attribute of several of the groups formerly listed, i change the filter:

$groups = ldap_list($ldap, 'OU=Groups,DC=server,DC=com',
    '(&(member=userdp08)(objectClass=group))', ['cn']);

Well, now I don't get any group. In case member attribute uses the full DN of the users, I change to:

$groups = ldap_list($ldap, 'OU=Groups,DC=server,DC=com',
    '(&(member=CN=userdp08*)(objectClass=group))', ['cn']);

I've tried all these filters, to no avail:

'(&(member=*CN=userdp08*)(objectClass=group))'
'(&(member=*userdp08*)(objectClass=group))'
'(&(member=*08*)(objectClass=group))'

And even this one doesn't work:

'(objectClass=gro*)'

However, if I retrieve the full DN of the user and I use it in an exact match filter, I get the appropriate groups correctly.

My question is: as it seems that substring filters are not working, is it possible that they are disabled in the AD configuration? I mean, can they be disabled somehow?

CodePudding user response:

Regarding substring filters, your question is about which/how attributes are indexed in AD.

There is no substring index for the member attribute (actually by default it is not indexed), so you must pass the full dn to get a match, or modify the searchFlags property to specify the index for the attribute in the schema.

It is also good to know that objectCategory is indexed, while objectClass is not.

But this is not the only way to retrieve user's groups. In AD you got the memberOf attribute which makes membership filtering easier and more performant (in OpenLDAP this is not enabled by default). As its name implies, you can query for a given user and read the memberOf attribute to get all groups that user is a member of, eg. :

$groups = ldap_list($ldap, 'OU=Users,DC=server,DC=com', 
        '(&(objectCategory=person)(CN=userdp08*))', ['memberOf']);

or :

$groups = ldap_list($ldap, 'OU=Users,DC=server,DC=com', 
        '(sAMAccountName=userdp08)', ['memberOf']);

The drawback is that you only get the value(s) for that attribute, which is/are the dn's of such groups, so if you want to read their cn, you still have to lookup for the matching group entries.

@see Indexed attributes in AD

Page link:https//www.codepudding.com/Softwareengineering/199150.html

Prev:Code Executing on Page Load instead of OnClick
Next:Placing cursor and focus inside contenteditable div onclick
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding