How to add a Security Group to AD using LDAP and php

Question

I'm brand new to pretty much all of this - ldap, php, active directory. I'm expanding some code written by someone else that's long gone, so the usual...

I'm pretty sure I need to use ldap_add:

bool ldap_add ( resource $link_identifier , string $dn , array $entry )

but I'm confused mostly - I think - about how to build the dn. Could someone point me to some place to learn this or walk me through an example?

Thanks for your help!

Answer 1

A while ago I was also all new in this, took me a long time to find out how ldap exactly works.

As you wrote correctly, the syntax of ldap_add is

bool ldap_add ( resource $link_identifier , string $dn , array $entry )

An very simplied example code for this:

$server = 'example.com';
$ds = ldap_connect($server);
$dn = 'cn=users,dc=example,dc=com';
$add['uid'] = 'ramon.johannessen'
$add["email"] = 'your@email.com';
ldap_add($ds, $dn, $add;

Don't forget to set the LDAP options before modifying entries:

ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

And most servers require binding (I assume you're already doing this).

So put that before ldap_add()

Edit: to add a new folder inside cn=users

First, declare the DN in which the new group should be placed

$dn = 'cn=users,dc=example,dc=com';

Now, describe the desired attributes for this group. Depending on your LDAP server there are different requirements, but let's try this:

$add['objectclass'] = 'organizationalRole'; #this is a required attribute for a group
$add['cn'] = 'NewGroup'; #give any name
if(ldap_add($ds, $dn, $add)) echo "group ".$add['cn']." successfully added to ".$dn;

I'm just doing this off the cuff, hopes this helps you to create the new folder!