PHP function that gets the members of an Active Directory group, and returns the Users’ attributes as an array.
This is an improved version of the snippet posted on 2/10/2011
The Function
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 |
<?php
function get_members($group=FALSE,$inclusive=FALSE) {
// Active Directory server
$ldap_host = "ad.domain";
// Active Directory DN
$ldap_dn = "CN=Users,DC=ad,DC=domain";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@".$ldap_host;
// Active Directory user
$user = "jdoe";
$password = "password1234!";
// User attributes we want to keep
// List of User Object properties:
// http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html
$keep = array(
"samaccountname",
"distinguishedname"
);
// Connect to AD
$ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
ldap_bind($ldap,$user.$ldap_usr_dom,$password) or die("Could not bind to LDAP");
// Begin building query
if($group) $query = "(&"; else $query = "";
$query .= "(&(objectClass=user)(objectCategory=person))";
// Filter by memberOf, if group is set
if(is_array($group)) {
// Looking for a members amongst multiple groups
if($inclusive) {
// Inclusive - get users that are in any of the groups
// Add OR operator
$query .= "(|";
} else {
// Exclusive - only get users that are in all of the groups
// Add AND operator
$query .= "(&";
}
// Append each group
foreach($group as $g) $query .= "(memberOf=CN=$g,$ldap_dn)";
$query .= ")";
} elseif($group) {
// Just looking for membership of one group
$query .= "(memberOf=CN=$group,$ldap_dn)";
}
// Close query
if($group) $query .= ")"; else $query .= "";
// Uncomment to output queries onto page for debugging
// print_r($query);
// Search AD
$results = ldap_search($ldap,$ldap_dn,$query);
$entries = ldap_get_entries($ldap, $results);
// Remove first entry (it's always blank)
array_shift($entries);
$output = array(); // Declare the output array
$i = 0; // Counter
// Build output array
foreach($entries as $u) {
foreach($keep as $x) {
// Check for attribute
if(isset($u[$x][0])) $attrval = $u[$x][0]; else $attrval = NULL;
// Append attribute to output array
$output[$i][$x] = $attrval;
}
$i++;
}
return $output;
}
// Example Output
print_r(get_members()); // Gets all users in OU 'Users'
print_r(get_members("Test Group")); // Gets all members of 'Test Group'
print_r(get_members(
array("Test Group","Test Group 2")
)); // EXCLUSIVE: Gets only members that belong to BOTH 'Test Group' AND 'Test Group 2'
print_r(get_members(
array("Test Group","Test Group 2"),TRUE
)); // INCLUSIVE: Gets members that belong to EITHER 'Test Group' OR 'Test Group 2'
?> |
Example Output
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
Array
(
[0] => Array
(
[samaccountname] => sam
[distinguishedname] => CN=sam,CN=Users,DC=ad,DC=domain
)
[1] => Array
(
[samaccountname] => jdoe
[distinguishedname] => CN=John Doe,CN=Users,DC=ad,DC=domain
)
) |
