mydap – PHP LDAP get members of Container/Group/OU

In mydap() version 4 we can query all members of a container, group, or organizational unit. LDAP pagination has also been incorporated, allowing results to exceed the 1000 limit.

See the end of the script for example usage. Feel free to ask questions in the comments.

Update 2/4/2017: Added support to overcome 1500 attribute limit affecting groups.

23 Comments

    • sam

      It’s looping through each member on line 120 (in the example)

      You can use mydap_attributes to get a specific user’s attributes by providing it the DN as the first parameter, and an array of attributes you want returned.

  1. Manuel

    Hi there!!

    Thank you for your work!! It helps a lot :)

    I’m having some trouble to find users in the Domain Users primary group… Im not able to get any user…

    Can you please help me?

    Thanks in advance :)

    • sam

      Since Domain Users is a primary group you need to use it’s ID 513

      I would recommend maybe creating a new object_class condition called something like ‘domainusers’ that would alter the ldap_search to filter all users with a primaryGroupID of 513

  2. Jacob

    Hi Sam
    Truly amazing piece of code. I have trouble getting extensionAttribute10-13 from AD .
    I’ve tried really a lot of combinations, but nothing has worked so far.

    $keep = array(‘extensionAttribute10′,’mail’);

    // Iterate each member to get attributes
    $i = 1; // For counting our output
    foreach($members as $m) {
    // Query a user’s attributes using mydap_attributes(member_dn,keep)
    // The member_dn is the step $m of this foreach
    $attr = mydap_attributes($m,$keep);

    // Each attribute is returned as an array, the first key is [count], [0]+ will contain the actual value(s)
    // You will want to make sure the key exists to account for situations in which the attribute is not returned (has no value)
    $ex10 = isset($attr[‘extensionAttribute10’][0]) ? $attr[‘extensionAttribute10’][0] : “[no extensionAttribute10]”;
    $mail = isset($attr[‘mail’][0]) ? $attr[‘mail’][0] : “[no email]”;

    // Do what you will, such as store or display member information
    echo “$i. $ex10, $mail”;

    $i++;
    }

    • sam

      Hi Jacob,

      Try lowercase:

  3. Linh Nguyen

    Hello Sam,

    I am wondering, if it’s possible that I can look up for a specific user by e-mail in active directory? If it’s possible can you please provide an example

    Best Regards,

    LN

  4. Hassan

    when i try this code with my domain credentials it shows this

    Warning: ldap_control_paged_result_response(): Result is: Referral (10) in C:\xampp\htdocs\me.php on line 85
    No members found, make sure you are specifying the correct object_class

    what is the solution ?

    • Hassan

      I found the error and fixed it .
      now i want to get the users which located at mydomain_controller->Branches->HQ->Users .

      how this could be done.

      • He is the answer:

        You must understand what OU, CN means in AD.
        Answer ir here:
        $members = mydap_members(‘OU=Branches,OU=HQ,OU=Users,DC=domain,DC=_controller’,’c’);

        for better linking gert LDAP admin (free) where you can get full attributes

  5. Hello,
    Have read about same problem ;)
    What unable to get custom attribute like > extensionattribute10′, i have same, but different problem.,
    In our W2008 R2 We have totaly custom attributes like > company01, title01

    Is where any way to get these attribute values?

    As For MS tools -> in connection query addition -properties (“attributes”,..) field goes in to getting not default set of attributes, but only asked attributes.

    Thanks for noticing

    • Ok, allready found the solution :)
      In your version just need to change $keep=false / to true!
      function mydap_attributes($user_dn,$keep=true)
      And it starts to work ;)

      Thanks!

  6. Daniel

    Nice code! It’s working for 90% of our AD groups. But for some, it’s returning 0 members. I modified a section of mydap_members while debugging and for some reason, on some groups, $members is returning NULL even though the $members array looks something similar to this:

    Array
    (
    [count] => 1
    [0] => Array
    (
    [member] => Array
    (
    [count] => 0
    )

    [0] => member
    [member;range=0-1499] => Array
    (
    [count] => 1500
    [0] =>
    [1] =>
    [2] =>
    [3] =>
    [4] =>
    [5] => etc etc etc

    How can I modify the code to prevent $members from returning NULL when the array looks like the above?

    • sam

      Hi Daniel,

      There is a 1500 result limit on attributes (affecting the results of memberOf when seeking group members) that I missed when writing this originally

      I have altered the logic so that it uses the ‘range’ attribute option to overcome this

      Let me know if that works for you

  7. Jim

    Hi Sam,
    Looks like exactly the piece of code I need for my project. If I could get it to work, that would be great!
    I keep getting: No members found, make sure you are specifying the correct object_class
    and in my log: PHP Warning: ldap_search(): Partial search results returned: Sizelimit exceeded

    I’m pretty sure I use the right object_class. Can you point me in the right direction?

    Grtz, Jim

  8. Melle van Aar

    First of all, thanks alot. This script saved me a lot of time.
    I’m facing a second challange, where I would like to list all the OU’s under the Users OU.

    Now I’m still a beginner in PHP, and can’t seem to list these right. Could you point me in the right direction? What changes do I need to make to the script?

    I’m using object_class ‘o’, and under the $members is set to the right path. I want to keep the $cn.
    Thanks in advance for your reply.

    Melle

  9. I have incorporated your script into a wordpress plugin for my company’s Intranet. I use it to show all of the members in an AD group. My problem is the pagination of group members. It looks like the code does pagination for containers and Org units but not for groups. Not sure if I am missing something but I wanted to know if you could point me in the right direction to get it working.

    Thanks,
    Joe

  10. Tony Chong

    Hi there,

    Thanks for code.
    i hit problem here, as my AD is not well structure , i would like to load from AD root, can advice ?

    My setting
    $members = mydap_members(‘CN=Users,DC=ad,DC=local’,’c’); // Working
    $members = mydap_members(‘DC=ad,DC=local’,’c’); // Not Working

    Warning: ldap_search(): Search: Operations error in D:\xampp\htdocs\mydap\index.php on line 279
    Error searching LDAP: Operations error

    • Tony Chong

      2nd question, does this support LDAP filter ? (-Filter “(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))”)
      because my CN may contains sub cn which may have computer object

Leave a Reply

Your email address will not be published. Required fields are marked *