PHP LDAP retrieve non default attribute/property "lockedOut"

Question

Is there a way with the PHP LDAP extension to retrieve AD attributes/properties that are not returned by default?

Specifically, I am trying to retrieve the lockedOut property. This one is not retrieved by default when you use ldap_get_attributes. In PowerShell, you have to specify the property in order to retrieve it:

Get-AdUser -Identity foo -Properties LockedOut | Select LockedOut

But trying to specify the attribute the same way with PHP LDAP does not seem to work.

$result = ldap_search($conn, $dn, "cn=foo", ["lockedOut"]);
if ($result === false) {
    // Handling error...
}
$count = ldap_count_entries($conn, $result);
if ($count !== 1) {
    // Handling error...
}
$entry = ldap_first_entry($conn, $result);

// This array does not contain the expected "lockedOut" attribute
$attr = ldap_get_attributes($conn, $entry);

// No array returned but false (error)
$value = ldap_get_values($conn, $entry, "lockedOut")

I feel like those non default properties are not retrievable with PHP LDAP (property != attribute).

Answer 1

There is a default attribute that does the job as a workaround: lockoutTime.
It seems to work this way:

• Account never locked: lockoutTime = <not set>
• Account locked in the past, but now unlocked: lockoutTime = 0
• Account locked: lockoutTime = 1+
  (= MS file time; amount of 100 nanoseconds since 1601-01-01 UTC)

The workaround code:

$result = ldap_search($conn, $dn, "cn=foo", ["lockoutTime"]);
if ($result === false) {
    // Handling error...
}
$count = ldap_count_entries($conn, $result);
if ($count !== 1) {
    // Handling error...
}
$entry = ldap_first_entry($conn, $result);
$attr = ldap_get_attributes($conn, $entry);

$rawLockoutTime = $attr["lockouttime"] ?? null;
$isLockedOut = $rawLockoutTime !== null && $rawLockoutTime[0] !== "0";

A reference about it on a post for the Python LDAP.

Answer 2

I don't know about the lockedOut property but one commenter on PHP manual page managed to fetch a few other non-standard or operational attributes such as create and modify timestamps using the below method. Maybe, you can try adding lockedOut to that list of attributes and achieve some success with this method too?

   $conn = $ds;
   $attrs = array( 'creatorsname', 'createtimestamp', 'modifiersname',
         'structuralObjectClass', 'entryUUID',  'modifytimestamp',
         'subschemaSubentry', 'hasSubordinates', '+' );
   $search = @ldap_read( $conn, $dn, '(objectClass=*)', $attrs, 0, 0, 0, $deref );

As another comment on the manual page suggests, you can also try looping through all entries until you find the lockedOut, this is another option:

$entry = ldap_first_entry($ds, $sr);
write_attr($entry,$ds);
for ($i = 0; $i < $n_entries; $i++){
   $entry = ldap_next_entry($ds, $entry);
   write_attr($entry,$ds);
}

Edit

As discussed, also refer to this answer.

If you just want to know if the user is locked out, you can fetch lockoutTime instead and check its value. A zero or unset value for this means the user isn't locked out.