CODEWITHSUNDEEP
phpactive-directoryldap
Nevo David
Nevo David

Reputation: 137

PHP + LDAP find members of memberOf

I use sAMAccountName to search for a user, after retrieving the user I get the user "memberof" list. I want to fetch all the member of the "memberof" from the user. is it possible to do it in one search?

Nevo.

OK Here is what I got so far:

$ds = ldap_connect('145.20.0.10', 389);
$bind = 1;
$bind = ldap_bind($ds, "aa", "aa");
if( $bind ){
      $dn = "OU=all users,DC=mycustomdc,DC=co,DC=il";
      $search = ldap_search($ds, $dn, "(samaccountname=asd)", ['memberOf', 'company','department']);
      $enr = ldap_get_entries($ds, $search);
}

this give me the memberof, of the member, but I need to get the members of the memberof

Upvotes: 0

Views: 2769

Answers (1)

Gabriel Luci
Gabriel Luci

Reputation: 40858

If I understand you correctly, you are starting with one user account and you want to:

  1. Get all the groups that user is a member of (by getting the value of 'memberOf')
  2. Find the members of each group found in step 1.

There are two ways you can do this:

  1. Iterate through all the groups and make a separate call to get the 'member' attribute, which will have the list of members.
  2. Construct a query based on 'memberOf' to find all other people who are members of the same groups:

(&(objectClass=user)(|(memberOf=CN=group1,OU=something,DC=mydomain,DC=com)(memberOf=CN=group2,OU=something,DC=mydomain,DC=com)(memberOf=CN=group3,OU=something,DC=mydomain,DC=com)))

It is possible to get different results based on which method you use.

Method 1 will get you any members of the groups, even if they're on other domains outside the domain or forest (for example, domains with one-way trusts).

With method 2 (searching memberOf) your results will be different if you search using LDAP:// (port 389) or GC:// (port 3268). Using GC:// will not work for global or domain local groups, whereas using LDAP:// will. However, if you use LDAP:// you will only get users from one domain, which might be a problem if you have other domains in your AD forest.

If you only have 1 domain in your organization with no trusts to other domains, then you are better off using LDAP://.

Upvotes: 1

Related Questions