w3hello.com logo
Home PHP C# C++ Android Java Javascript Python IOS SQL HTML videos Categories
Checking for group membership in Active Directory using LDAP and PHP

I am not familiar with PHP's implementation of accessing LDAP/Active Directory so I can't help you there. What I can help you with is perhaps understanding where to get information from your domain structure in order to coherently assemble all those CN's, OU's, DN things.

Log into the console of one of your domain controllers and open the "Active Directory Users and Computers" administrator tool.

In the left window pane at the top will be the name of your domain, eg: somedomain.com Take note of your domain name.

Now you need to find the location of the ECSDocket_Admin, ECSDocket_User, and ECSDocket_Viewer group objects within your domain structure.

Click on the +(plus) sign next to your domain name (if it isn't already). You should see a bunch of folders (actually OU's and Directory's but I'll keep it simple). The groups you are looking for will be located inside one of these 'folders', most likely inside the one called 'users' so start looking there.

Take note of the "path" to where you found the group, starting from the top 'somedomain.com' and working down through the folders. eg: somedomain.com/users/etc/ECSDocket_Admin

To query a group object you will need to know it's distinguished name (DN). Using the info you collected about your domain name and the location you can assemble the DN for each of your groups like so:

Note: I am using an example path to a group of: somedomain.com/users/etc/ECSDocket_Admin

DN value is: CN=ECSDocket_Admin,OU=etc,OU=users,DC=somedomain,DC=com

--Notice that we are starting with the object name 'ECSDocket_Admin' and working our way UP the tree (reverse order when looking at the path I had you write down)!

--Notice that just the group name is prefixed with CN=

--Notice that all the 'folder' names are prefixed with OU=

--Notice that we split our domain name at the dot delimiter and prefixed each of those parts with a DC=

--Notice that everything in the DN value is delimited with a comma(,)

Values for other items you will probably need are:

The 'search base' or the point within the directory to start your search, using a domain name of somedomain.com as an example, will be: DC=somedomain,DC=COM

The search scope will be: sub which simply says it is ok to look in all those 'folders' underneath the starting point too

Once you figure out how to query a group object, the attribute value you are specifically interested in is called 'member'. This attribute contains multiple values, one for each user that is a member of the group. These values will be the DN of the user account. The part you will be interested in will be the CN=SOMEUSER portion at the beginning as this is the users account name. the rest is the 'path' to where this account object is stored in the domain structure.

Hope it helps.





© Copyright 2018 w3hello.com Publishing Limited. All rights reserved.