mydap – PHP LDAP get members of Container/Group/OU

In mydap() version 4 we can query all members of a container, group, or organizational unit. LDAP pagination has also been incorporated, allowing results to exceed the 1000 limit.

See the end of the script for example usage. Feel free to ask questions in the comments.

Update 2/4/2017: Added support to overcome 1500 attribute limit affecting groups.


    • sam

      It’s looping through each member on line 120 (in the example)

      You can use mydap_attributes to get a specific user’s attributes by providing it the DN as the first parameter, and an array of attributes you want returned.

  1. Manuel

    Hi there!!

    Thank you for your work!! It helps a lot :)

    I’m having some trouble to find users in the Domain Users primary group… Im not able to get any user…

    Can you please help me?

    Thanks in advance :)

    • sam

      Since Domain Users is a primary group you need to use it’s ID 513

      I would recommend maybe creating a new object_class condition called something like ‘domainusers’ that would alter the ldap_search to filter all users with a primaryGroupID of 513

  2. Jacob

    Hi Sam
    Truly amazing piece of code. I have trouble getting extensionAttribute10-13 from AD .
    I’ve tried really a lot of combinations, but nothing has worked so far.

    $keep = array(‘extensionAttribute10′,’mail’);

    // Iterate each member to get attributes
    $i = 1; // For counting our output
    foreach($members as $m) {
    // Query a user’s attributes using mydap_attributes(member_dn,keep)
    // The member_dn is the step $m of this foreach
    $attr = mydap_attributes($m,$keep);

    // Each attribute is returned as an array, the first key is [count], [0]+ will contain the actual value(s)
    // You will want to make sure the key exists to account for situations in which the attribute is not returned (has no value)
    $ex10 = isset($attr[‘extensionAttribute10’][0]) ? $attr[‘extensionAttribute10’][0] : “[no extensionAttribute10]”;
    $mail = isset($attr[‘mail’][0]) ? $attr[‘mail’][0] : “[no email]”;

    // Do what you will, such as store or display member information
    echo “$i. $ex10, $mail”;


    • sam

      Hi Jacob,

      Try lowercase:

  3. Linh Nguyen

    Hello Sam,

    I am wondering, if it’s possible that I can look up for a specific user by e-mail in active directory? If it’s possible can you please provide an example

    Best Regards,


  4. Hassan

    when i try this code with my domain credentials it shows this

    Warning: ldap_control_paged_result_response(): Result is: Referral (10) in C:\xampp\htdocs\me.php on line 85
    No members found, make sure you are specifying the correct object_class

    what is the solution ?

    • Hassan

      I found the error and fixed it .
      now i want to get the users which located at mydomain_controller->Branches->HQ->Users .

      how this could be done.

      • He is the answer:

        You must understand what OU, CN means in AD.
        Answer ir here:
        $members = mydap_members(‘OU=Branches,OU=HQ,OU=Users,DC=domain,DC=_controller’,’c’);

        for better linking gert LDAP admin (free) where you can get full attributes

  5. Hello,
    Have read about same problem ;)
    What unable to get custom attribute like > extensionattribute10′, i have same, but different problem.,
    In our W2008 R2 We have totaly custom attributes like > company01, title01

    Is where any way to get these attribute values?

    As For MS tools -> in connection query addition -properties (“attributes”,..) field goes in to getting not default set of attributes, but only asked attributes.

    Thanks for noticing

    • Ok, allready found the solution :)
      In your version just need to change $keep=false / to true!
      function mydap_attributes($user_dn,$keep=true)
      And it starts to work ;)


  6. Daniel

    Nice code! It’s working for 90% of our AD groups. But for some, it’s returning 0 members. I modified a section of mydap_members while debugging and for some reason, on some groups, $members is returning NULL even though the $members array looks something similar to this:

    [count] => 1
    [0] => Array
    [member] => Array
    [count] => 0

    [0] => member
    [member;range=0-1499] => Array
    [count] => 1500
    [0] =>
    [1] =>
    [2] =>
    [3] =>
    [4] =>
    [5] => etc etc etc

    How can I modify the code to prevent $members from returning NULL when the array looks like the above?

    • sam

      Hi Daniel,

      There is a 1500 result limit on attributes (affecting the results of memberOf when seeking group members) that I missed when writing this originally

      I have altered the logic so that it uses the ‘range’ attribute option to overcome this

      Let me know if that works for you

  7. Jim

    Hi Sam,
    Looks like exactly the piece of code I need for my project. If I could get it to work, that would be great!
    I keep getting: No members found, make sure you are specifying the correct object_class
    and in my log: PHP Warning: ldap_search(): Partial search results returned: Sizelimit exceeded

    I’m pretty sure I use the right object_class. Can you point me in the right direction?

    Grtz, Jim

  8. Melle van Aar

    First of all, thanks alot. This script saved me a lot of time.
    I’m facing a second challange, where I would like to list all the OU’s under the Users OU.

    Now I’m still a beginner in PHP, and can’t seem to list these right. Could you point me in the right direction? What changes do I need to make to the script?

    I’m using object_class ‘o’, and under the $members is set to the right path. I want to keep the $cn.
    Thanks in advance for your reply.


  9. I have incorporated your script into a wordpress plugin for my company’s Intranet. I use it to show all of the members in an AD group. My problem is the pagination of group members. It looks like the code does pagination for containers and Org units but not for groups. Not sure if I am missing something but I wanted to know if you could point me in the right direction to get it working.


  10. Tony Chong

    Hi there,

    Thanks for code.
    i hit problem here, as my AD is not well structure , i would like to load from AD root, can advice ?

    My setting
    $members = mydap_members(‘CN=Users,DC=ad,DC=local’,’c’); // Working
    $members = mydap_members(‘DC=ad,DC=local’,’c’); // Not Working

    Warning: ldap_search(): Search: Operations error in D:\xampp\htdocs\mydap\index.php on line 279
    Error searching LDAP: Operations error

  11. Dennis

    Not sure why I can’t get this working.. trying to Query OpenLDAP with your script and nothing I do seems to work. I only see:
    PHP Warning: sort() expects parameter 1 to be array, null given in /var/www/vhosts/ on line 120
    No members found, make sure you are specifying the correct object_class

    I have tried combinations of c,g,o with the following:
    cn=users,dc=domain,dc=lan cn=groupname,ou=Groups,dc=domain,dc=lan and even the base of dc=domain,dc=lan

    I know i’m not giving alot to go on, but any pointers or something to try ??

  12. bitfuzzy

    I turned this into a class mydap but and modified your example to populate a drop down list, but now when i call the function multiple times from the same page (even from difference instances) I get the error Error, LDAP connection already established, even though I am calling mydap::mydap_end(); at the end of every static function. Any hints?

  13. speed111

    Is there a way to get the group name “Users” from a variable set earlier?
    $members = mydap_members(‘CN=Users,DC=ad,DC=local’,’c’);

  14. Hasse

    Hej Sam!
    Thanks for code. I have the same question as speed111.
    I tried to use variable instead of CN=Users in different ways.
    But I get error searching LDAP: Invalid DN syntax.



  15. Hello. Thanks Sam for the code!

    If you going to use accountexpire use this codesnippet. Then you get the output in valid date format.

    $accountexpires = isset($attr[‘accountexpires’][0]) ? date(“Y-m-d”, $attr[‘accountexpires’][0]/10000000-11644473600) : “[no accountexpires]”;

  16. and before i forget, if you are using manager you need to explode the result.

    $manager = isset($attr[‘manager’][0]) ? $attr[‘manager’][0] : “[no manager]”;
    $m = explode(“,”,$manager,2);
    $g = explode(“=”,$m[0]);

    and instead of using $manager, use $g[1]

  17. Ilias

    thank you so much for the script.
    Is there a way to have tls/ssl connection (ldaps) and with cerificate ignored on port 636?
    I unfortunately cannot connect to a samba4 based DC.
    Kind regards.

    • sam

      Hi Ilias,

      You should be able to add this line to ignore certs in ldap.conf (on linux):

      Or on Windows, try this above ldap_connect():

  18. Ilias

    Hi Sam,
    I had done that already, so I guess I miss something else. Port is 636 and protocol is ldaps. Should that require modification of the code on the PHP script?
    Thanks in advance for your patience.

    • sam

      Ok for the host parameter make sure you are using the ldaps:// prefix, for example:

      If you have that and the TLS_REQCERT never is correctly being adhered to it should work

      • Ilias

        Hi Sam,
        I directly executed an ldapsearch with success in order to verify
        ldapsearch -D “cn=mysearchuser,ou=user_ou,dc=this,dc=example,dc=domain” -w “” -H ldaps://remote_host -b “cn=Users,dc=this,dc=example,dc=domain”
        and it worked.
        So I found out I just had the wrong path for my searchuser :(
        Now of course the script works too.
        Really sorry for making you lose some time on this, I should have verified more thourougly before asking.
        Thanks once again for sharing such a useful script!

Leave a Reply

Your email address will not be published. Required fields are marked *