mydap version 3 – Use PHP and LDAP to list members of an Active Directory group

Please see the UPDATED version of this script here

PHP function that gets the members of an Active Directory group, and returns the data as an array. Additional function provided to get Users’ attributes.

In this version (Version 3) we can search groups across multiple OU’s– and even multiple AD servers (by closing and establishing a new connection).

I hope you find it useful.

31 Comments

  1. Tom

    Hello, with your code I’m able to successfully search active directory for users in specific groups. However I’m looking to do something slightly different and wondered if you might be able to help. I’m looking to restrict certain areas of an internal website to users that are in specific distribution groups. Below is my code that allows all domain users to authentic with their AD username and password. But I’d really like to give access just to users the “HR” distribution group. For example I have a group with the following canonical name: Domain.org/Domain/Groups/HR
    Do you know if this is possible?

    Thanks,
    Tom

    // User Custom Validate event
    function User_CustomValidate(&$usr, &$pwd) {
    // Enter your custom code to validate user, return TRUE if valid.
    // LDAP authentication example for User_CustomValidate server event
    if (!function_exists(“ldap_connect”))
    die(“LDAP extension not installed.”);
    $ldapconn = ldap_connect(“domaincontroller.domain.org”, 389) or die(“Could not connect to LDAP server.”); // Note: Replace the host name and port
    ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ldapconn, LDAP_OPT_REFERRALS, 0);
    if ($ldapconn && ldap_bind($ldapconn, $usr, $pwd)) {
    $this->setCurrentUserName($usr); // Set the current user name
    return TRUE;
    }
    return FALSE;
    }

      • Tom

        Sam, thanks for the link. I tried your code. It’s pointing me in the right direction. It was not working for me until I adjusted a line in the “authenticate.php” page. I thought I’d pass this along in case anyone else is seeing the same.

        In the below line of code, a space after the first quote and before the @ symbol was causing login failure for me.
        $ldap_usr_dom = ” @college.school.edu”;

        After deleting the space I am able to authenticate. I’m running a LAMP web server and authenticating to Windows AD.

        I have yet to incorporate the ideas from your code into mine but it seems I am heading in the right direction

        Thanks again,
        Tom

  2. Alex

    Unfortunately, it doesn’t look like this code works for AD groups that have a large number members (more than are returned in a single range or page.

    When I run the script with a small group, it works fine. But when I try to get the members of a group that has thousands of members, it returns “No group members found”.

    Our AD server appears to only return 1500 results per “page”.

  3. Jack Lee

    How do I use your code to show all users in our domain (for an intranet ‘company directory’) it only has around 1,000.

    Thanks

  4. Martin

    Unfortunately I get “No group members found” error, even though I query the OU leaf that clearly has members in it – I can see that in AD admin console. I use my credentials to run the query. Frankly – I’m lost. It connects, it binds, yet it does not return expected data. Am I missing something?

    • sam

      Hi Martin,

      You may have already done this but make sure you have error_reporting turned on– and remove the @ in front of ldap_bind so no errors there are being hidden

      Next try using print_r($members); under

      Are you getting any results there at all or is it a blank array?

      Also is there anything unusual about the group you are querying, does it have nested groups in it?

      Did you modify the code in any other way? If so please post a copy (with the sensitive credentials removed)

  5. Geoffrey Schaller

    Similar to Jack Lee’s request – I am looking to create a listing of all users within a specific OU, and the ones under it, to include on our Intranet page. Is it possible to query for all users in an OU, or its children?

    Thank you for your help!

    • Geoffrey Schaller

      I think I have the hang of this – I can pull from several “All Staff” groups to combine and make a master list. Where I am getting stuck is running mydap_members against multiple groups and combining the results.

      If I wanted to combine the results of Group1, Group2, Group3, etc. into one output, what is the syntax to call multiple groups into $members?

      Thank you!

    • Geoffrey Schaller

      The other option would be to enable recursion somehow, so that the member of children groups are also returned.

      • sam

        Hi Geoffrey,

        You can use a simple array_merge() to collect the results of multiple mydap_members()

  6. Geoffrey Schaller

    Hi Sam, I have this up and running (beautifully, I might add) on a PHP 5.6 server. However, when I switch the server to PHP 7, the script fails to connect to LDAP, giving the message “Error connecting to LDAP”.

    Other LDAP based scripts on the same server, also on PHP 7, work without issue using the same credentials, leading me to think it’s something about this script and 7 that is the issue. Can you advise what I’d need to change for PHP 7?

    Thank you!

    • sam

      Hi Geoffrey,

      I have tested it on PHP 7.0.8 without issue

      Do you have error reporting turned on?

      Make sure your php.ini (maybe your app is using a different ini from the other working ones?) has the extension enabled, extension=php_ldap.dll

      • Geoffrey Schaller

        The extension is enabled, and LDAP works properly for another app (Joomla) in the same setup.

        From the logs, the specific error message is:

        [18-Apr-2016 16:56:04 America/New_York] PHP Warning: ldap_connect(): Could not create session handle: Bad parameter to an ldap routine in D:\inetpub\wwwroot\phptest\adlisting.php on line 7

        • sam

          Are you adding a port like :389 to the end of the hostname? That could be it

          If so, try removing the port # and add to the ldap_connect like this:

          $mydap = ldap_connect($host,389) or die(‘Error connecting to LDAP’);

          Or try ldaps://domain:389 as the hostname

  7. Hemendra

    ldap_bind(): Unable to bind to server: Strong(er) authentication required when i am using it.
    can you please help me to fix the issue.
    i am testing this on WAMP Server

    • sam

      Try appending ldaps:// to your hostname

      • Sudarshan

        Hi, SAM
        I want to get all user attributes in the domain i.e.(hostname, username and last logon) I tried the code but its does not show errors or does not show any results !! can You Please help me out

        ”);

        • sam

          I would make sure you have all error reporting turned on and/or you can view PHP logs

          Then do some break-point debugging to make sure your code is getting to and executing the ldap_search()

          You can do a print_r($result); above line 29 to help verify that

          If there’s no error messages or other information from there I would check on the value of $ldap_base_dn to make sure that is correct

  8. Sudarshan

    Sam !! it works well , now the problem is LDAP configuration attributes are not enable like last logon etc , is any other to get the login information of domain members using PHp

  9. Andreina Rugama

    Hello, I would like to know how I can search all my active directory per user and that result give me the full name and status of the user either active or inactive and can disable it through a button

Leave a Reply

Your email address will not be published. Required fields are marked *