Need a little help with LDAP group lookup

bunner_bob

I'm working with code someone else wrote, and not knowing a whole lot about LDAP I find myself flailing around a little.

I'm trying to determine whether a user is a member of a specified group. Here's what I've got (host, user, pw, ldap base dn constants are set externally):

class ldapLookup
{
	private $basedn;
	private $conn = FALSE;
	private $errmsg = '';
	public $retVals = 'cn';

function __construct() {

	$this->conn = ldap_connect("ldap://" . LDAP_HOST) or $this->_error('Could not connect to LDAP server.');

	ldap_set_option($this->conn, LDAP_OPT_PROTOCOL_VERSION, 3);
	ldap_set_option($this->conn, LDAP_OPT_REFERRALS, 0);
	ldap_bind($this->conn, LDAP_USER, LDAP_PASS) or $this->_error('Could not bind to LDAP server.');

	if(!defined('LDAP_BASE_DN')
	{
		$this->basedn = 'DC=' . str_replace('.', ',DC=', LDAP_HOST);
	}
	else
	{
		$this->basedn = LDAP_BASE_DN;
	}

}


public function is_user_in_group($logonName, $groupName) {

	$filter = "(&(objectclass=organizationalPerson)(memberOf=CN=$groupName,$this->basedn)(sAMAccountName=$logonName))";
	$return = explode(',', $this->retVals);
	$srch = ldap_search($this->conn, $this->basedn, $filter, $return, 0, 1) or $this->_error('Could not search for user.');

	$result = ldap_get_entries($this->conn, $srch);
	ldap_free_result($srch);

	if($result['count'] < 1)
		return false;
	else {
	   return true;
	}
}
}

It just keeps not working (need to ask my colleague what the exact error message is - will provide). But if I remove this part:
code=php[/code]
I successfully get results. In other words I can determine a person exists, period. Just can't determine if they're a member of a specified group.

Is the syntax of that removed part correct? Do I need to fully qualify the $groupName (at present it's just something like "Leadership.Admin", which IS the name of the group, but doesn't include the whole 'dc=' business).

Or if this is poorly written in general, can anyone point me to a good example of a "check member is in group" ldap script?

scrupul0us

this is what I use for LDAP connection/auth/lookup

$ldap_server = ""; //IP ADDRESS OF LDAP
$ldap_dn = ""; //NAME OF AD FOREST
$ldap_gn = ""; //OU TO SEARCH IN (IF NEEDED)
$ldap_attr = array("*"); //WHAT TO RETURN IN YOUR SEARCH

$ad = ldap_connect($ldap_server);
$lv = ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3);
$bd = ldap_bind($ad,$ldap_user,$ldap_password);
$result = ldap_search($ad, $ldap_dn, $ldap_filter, $ldap_attr);
$entries = ldap_get_entries($ad, $result);

//CHECK IF USER IS IN $ldap_gn
$belongs = in_array($ldap_gn,$entries[0]['memberof']) ? TRUE : FALSE;

HTH

bunner_bob

That makes sense - but what do you put in your $ldap_filter and $ldap_attr when trying to query group membership?

scrupul0us

I use:

$ldap_attr = array("*"); //All attributes
$ldap_filter = "samaccountname=".$user; //Just this user

bunner_bob

Thanks - I think this is going to get us there (unfortunately I am remote to the network where this is being deployed so I can't just pop it in and test it).

One more question - can you give me an example of format of the $ldap_gn? What we're using right now is "HRLeadership.Admin", which is supposedly the name of the group, and may be our problem - do we need to more formally qualify it as "ou=HRLeadership, ou=Admin" or some such format?

scrupul0us

bob, use the full path from the root of the directory you are querying using the proper cn,dn,ou