ldap filter for distinguishedName

StackOverflow https://stackoverflow.com/questions/17303967

  •  01-06-2022
  •  | 
  •  

Question

I am successfully querying our Active Directory for a user with the following code:

$filter = (&(objectCategory=person)(samaccountname=someusername));
$fields = array("samaccountname","mail","manager","department","displayname","objectGUID");

$user = ldap_search($ldapconnection, $baseDn, $filter, $fields);

The resulting array gives this value for the manager attribute:

CN=McBossy\, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com

This looks like a distinguishedName to me. But when I try to query for the manager's record,

$filter = (&(objectCategory=person)(dn='CN=McBossy\, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com'));

$manager = ldap_search($ldapconnection, $baseDn, $filter, $fields);

the query fails with PHP Warning: ldap_search(): Search: Bad search filter

I've tried a number of possibilities including different quotation, more parentheses, using distinguishedName rather than dn, etc.

What am I doing wrong and what is the right way to get the manager's record?

Était-ce utile?

La solution

dn is not an attribute. Only attribute types, OIDs, and names can be used in filters.

When you get the manager attribute, to get the attributes for the DN that is the manager, use the value of the manager attribute as the base object in a search request. Set the scope of the search to BASE, the filter to either (&) or (objectClass=*) and request the attributes required. Then transmit the search request to the server and interpret the response.

Autres conseils

Old question, but I don't think it was answered clearly. You can search AD by DN for a user, computer, or group, but it must be escaped properly, so use the built in function.

$ldap_to_find = ldap_escape($manager_dn, null, LDAP_ESCAPE_FILTER);
$ldap_filter  = "(distinguishedName={$ldap_to_find})";

From my testing, adding class or category makes no speed difference, probably because the DN is a unique location and not a real attribute.

I am not sure if I understand your question completely. for example , if there is a entry in LDAP

dn: uid=John Smith,ou=people,dc=example,dc=org
objectClass: inetOrgPerson
cn: John Smith
sn: smith
uid: jsmith
uid: John Smith
mail: j.smith@example.com
ou: accounting

if you want to search entry whose dn containing "uid=John Smith" , the cmd will look like:

ldapsearch -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -LLL '(uid:dn:=John Smith)'

https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html

Licencié sous: CC-BY-SA avec attribution
Non affilié à StackOverflow
scroll top