Use PHP and LDAP to list members of an Active Directory group (Improved)

Posted on by

PHP function that gets the members of an Active Directory group, and returns the Users’ attributes as an array.

This is an improved version of the snippet posted on 2/10/2011

The Function

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

<?php
function get_members($group=FALSE) {
    // Active Directory server
    $ldap_host = "ad.domain";
 
    // Active Directory DN
    $ldap_dn = "CN=Users,DC=ad,DC=domain";
 
    // domain, for purposes of constructing $user
    $ldap_usr_dom = "@".$ldap_host;
 
    // Active Directory user
    $user = "jdoe";
    $password = "password";
 
    // User attributes we want to keep
    // List of User Object properties: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html
    $keep = array(
        "samaccountname",
        "distinguishedname"
    );
 
    // Connect and search AD
    $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
    ldap_bind($ldap,$user.$ldap_usr_dom,$password) or die("Could not bind to LDAP");
 
    // filter by memberOf, if group is set
    if($group) $addtl = "(memberOf=CN=$group,$ldap_dn)"; else $addtl = "";
 
    $results = ldap_search($ldap,$ldap_dn,"(&(objectClass=User)$addtl)");
    $entries = ldap_get_entries($ldap, $results);
 
    // Remove first entry (it's always blank)
    array_shift($entries);
 
    $output = array(); // Declare the output array
 
    $i = 0; // Counter
    // Build output array
    foreach($entries as $u) {
        foreach($keep as $x) $output[$i][$x] = $u[$x][0];
        $i++;
    }
 
    return $output;
}
 
print_r(get_members()); // Gets all users in 'Users'
print_r(get_members("Test Group")); // Gets all members of 'Test Group'
?>
<?php
function get_members($group=FALSE) {
	// Active Directory server
	$ldap_host = "ad.domain";

	// Active Directory DN
	$ldap_dn = "CN=Users,DC=ad,DC=domain";

	// domain, for purposes of constructing $user
	$ldap_usr_dom = "@".$ldap_host;

	// Active Directory user
	$user = "jdoe";
	$password = "password";

	// User attributes we want to keep
	// List of User Object properties: http://www.dotnetactivedirectory.com/Understanding_LDAP_Active_Directory_User_Object_Properties.html
	$keep = array(
	    "samaccountname",
	    "distinguishedname"
	);

	// Connect and search AD
	$ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
	ldap_bind($ldap,$user.$ldap_usr_dom,$password) or die("Could not bind to LDAP");

	// filter by memberOf, if group is set
	if($group) $addtl = "(memberOf=CN=$group,$ldap_dn)"; else $addtl = "";

	$results = ldap_search($ldap,$ldap_dn,"(&(objectClass=User)$addtl)");
	$entries = ldap_get_entries($ldap, $results);

	// Remove first entry (it's always blank)
	array_shift($entries);

	$output = array(); // Declare the output array

	$i = 0; // Counter
	// Build output array
	foreach($entries as $u) {
		foreach($keep as $x) $output[$i][$x] = $u[$x][0];
		$i++;
	}

	return $output;
}

print_r(get_members()); // Gets all users in 'Users'
print_r(get_members("Test Group")); // Gets all members of 'Test Group'
?>

Example Output

Array
(
    [0] => Array
        (
            [samaccountname] => sam
            [distinguishedname] => CN=sam,CN=Users,DC=ad,DC=domain
        )

    [1] => Array
        (
            [samaccountname] => jdoe
            [distinguishedname] => CN=John Doe,CN=Users,DC=ad,DC=domain
        )

)
Share

One thought on “Use PHP and LDAP to list members of an Active Directory group (Improved)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code lang=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" extra="">