How to get a list of all Distinguished Names (DNs) from AD (LDAP) using PHP?

Question

I would like to get a list of all the DNs that are inside an Active Directory while only having the base DN.

Also a list of all the groups and group members.

The language used is PHP.

If PHP is a bad choice for this task, what language would you recommend?

Cheers,

Answer 1

Use:

• Use an empty string or your base DN for the base object
• (objectClass=*) for the filter
• wholeSubtree or 2 or sub for the search scope
• 1.1 for the requested attribute list.

1.1 is an OID that matches no attribute type and the server should return only the distinguished names (no attributes). (objectClass=*) is a present filter - all LDAP entries have at least the objectClass attribute.

This will return a list of all distinguished names -- assuming the directory server administrators allow LDAP clients to trawl the directory server database (some administrators will not permit this).

Group distinguished names will be returned also. Which entries are members of the groups will depend on the attribute used to name the members.

Answer 2

PHP has an LDAP extension. As long as your PHP installation has that extension enabled, you should be able to effortlessly connect to an AD server and perform your queries.

After that, it's just a matter of performing basic function calls: ldap_connect(), ldap_bind(), ldap_search(), ldap_get_entries() and then iterating over the result set.

Keep in mind that if you wish to perform changes to AD (which doesn't seem to be the case here), you'll have to connect through SSL, which might have a few gotchas involving making PHP see your AD's SSL certificate as trusted.