Monthly Archives: October 2011

Use PHP and LDAP to list members of an Active Directory group (Improved)

Posted on by
1

PHP function that gets the members of an Active Directory group, and returns the Users’ attributes as an array.

This is an improved version of the snippet posted on 2/10/2011

The Function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

<?php
function get_members($group=FALSE) {
    // Active Directory server
    $ldap_host = "ad.domain";
 
    // Active Directory DN
    $ldap_dn = "CN=Users,DC=ad,DC=domain";
 
    // domain, for purposes of constructing $user
    $ldap_usr_dom = "@".$ldap_host;
 
    // Active Directory user
    $user = "jdoe";
    $password = "password";
 
    // User attributes we want to keep
    // List of User Object properties: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html
    $keep = array(
        "samaccountname",
        "distinguishedname"
    );
 
    // Connect and search AD
    $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
    ldap_bind($ldap,$user.$ldap_usr_dom,$password) or die("Could not bind to LDAP");
 
    // filter by memberOf, if group is set
    if($group) $addtl = "(memberOf=CN=$group,$ldap_dn)"; else $addtl = "";
 
    $results = ldap_search($ldap,$ldap_dn,"(&(objectClass=User)$addtl)");
    $entries = ldap_get_entries($ldap, $results);
 
    // Remove first entry (it's always blank)
    array_shift($entries);
 
    $output = array(); // Declare the output array
 
    $i = 0; // Counter
    // Build output array
    foreach($entries as $u) {
        foreach($keep as $x) $output[$i][$x] = $u[$x][0];
        $i++;
    }
 
    return $output;
}
 
print_r(get_members()); // Gets all users in 'Users'
print_r(get_members("Test Group")); // Gets all members of 'Test Group'
?>
<?php
function get_members($group=FALSE) {
	// Active Directory server
	$ldap_host = "ad.domain";

	// Active Directory DN
	$ldap_dn = "CN=Users,DC=ad,DC=domain";

	// domain, for purposes of constructing $user
	$ldap_usr_dom = "@".$ldap_host;

	// Active Directory user
	$user = "jdoe";
	$password = "password";

	// User attributes we want to keep
	// List of User Object properties: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html
	$keep = array(
	    "samaccountname",
	    "distinguishedname"
	);

	// Connect and search AD
	$ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
	ldap_bind($ldap,$user.$ldap_usr_dom,$password) or die("Could not bind to LDAP");

	// filter by memberOf, if group is set
	if($group) $addtl = "(memberOf=CN=$group,$ldap_dn)"; else $addtl = "";

	$results = ldap_search($ldap,$ldap_dn,"(&(objectClass=User)$addtl)");
	$entries = ldap_get_entries($ldap, $results);

	// Remove first entry (it's always blank)
	array_shift($entries);

	$output = array(); // Declare the output array

	$i = 0; // Counter
	// Build output array
	foreach($entries as $u) {
		foreach($keep as $x) $output[$i][$x] = $u[$x][0];
		$i++;
	}

	return $output;
}

print_r(get_members()); // Gets all users in 'Users'
print_r(get_members("Test Group")); // Gets all members of 'Test Group'
?>

Example Output

Array
(
    [0] => Array
        (
            [samaccountname] => sam
            [distinguishedname] => CN=sam,CN=Users,DC=ad,DC=domain
        )

    [1] => Array
        (
            [samaccountname] => jdoe
            [distinguishedname] => CN=John Doe,CN=Users,DC=ad,DC=domain
        )

)