issues using memberOf clause in ldap query

Question

I'm trying to accomplish something very similar to what this user was doing Here.

I followed the answer, but I could not get it working. Inside the Active directory, my memberOf field looks like this:

CN=$VPN Users,CN=Users,DC=iai,DC=pri,CN=$ITAR,CN=Users,DC=iai,DC=pri,CN=allsubscribers,CN=Users,DC=iai,DC=pri

My Filter that works is:

(&(objectCategory=person)(sAMAccountName=$p_username))

I'm trying to get the following to work:

(&(objectCategory=person)(sAMAccountName=$p_username)(memberOf=CN=$ITAR))

I have tried adding the full DN which is CN=Users,DC=iai,DC=pri to my filter as well, but I get:

array(1) { ["count"]=> int(0) }

as my response.

I'm using ldap 3

This is the partial Working authentication code written in php:

  $login = ldap_bind( $url, "username@somedomain", $password ); 

  $attributes = array("displayname", "mailnickname");
  $filter = "(&(objectCategory=person)(sAMAccountName=$username))";

  $result = ldap_search($url, "CN=Users,DC=iai,DC=pri", $filter, $attributes);

  $entries = ldap_get_entries($url, $result);

What am I doing wrong?

Code Result

From @DaveRandom

First Var dump:

string(49) "(&(objectCategory=person)(sAMAccountName=rmoser))"
array(2) {
  ["count"] => int(1)
  [0] => array(8) {
    ["displayname"] => array(2) {
      ["count"] => int(1)
      [0] => string(10) "Ryan Moser"
    }
    [0] => string(11) "displayname"
    ["memberof"] => array(4) {
      ["count"] => int(3)
      [0] => string(36) "CN=$VPN Users,CN=Users,DC=iai,DC=pri"
      [1] => string(31) "CN=$ITAR,CN=Users,DC=iai,DC=pri"
      [2] => string(40) "CN=allsubscribers,CN=Users,DC=iai,DC=pri"
    }
    [1]=> string(8) "memberof"
    ["mailnickname"] => array(2) {
      ["count"] => int(1)
      [0] => string(6) "rmoser"
    }
    [2] => string(12) "mailnickname"
    ["count"] => int(3)
    ["dn"] => string(36) "CN=Ryan Moser,CN=Users,DC=iai,DC=pri"
  }
}
bool(false)

Second var_dump:

string(70) "(&(objectCategory=person)(sAMAccountName=rmoser)(memberof=*CN=$ITAR*))" 
array(1) {
  ["count"] => int(0)
}

score 0 · Accepted Answer · edited May 23 '17 at 12:34

0

LDAP filters look for an exact match.

In order to match CN=$ITAR anywhere in a value, you will need to surround it with the filter wildcard character *.

Try this filter:

(&(objectCategory=person)(sAMAccountName=$p_username)(memberOf=*CN=$ITAR*))

Also don't forget that $ITAR is a valid variable name in PHP, so if you place that filter string in double quotes (which you would need to in order for $p_username to be interpolated) PHP will attempt to interpolate $ITAR as a variable as well, find that it (probably) doesn't exist and the end result will be that it gets stripped from the string.

$filter = "(&(objectCategory=person)(sAMAccountName=$p_username)(memberOf=*CN=\$ITAR*))";

A useful link for any question concerning a dynamic filter built with PHP is this.

edited May 23 '17 at 12:34

Community

1
1

answered Aug 16 '12 at 13:16

DaveRandom

87,921
11
154
174

I added the wildcard flags, to make it memberOf=*CN=\$ITAR*, still no dice. The filter is valid and contains '$ITAR', however, it still returns nothing – Ryan Aug 16 '12 at 13:26
Can you echo the filter string and see what it looks like when the variables have been substituted? – DaveRandom Aug 16 '12 at 13:27
hang on a sec, your code uses `$ds` in the `ldap_bind()` call, and `$url` in the `ldap_search()` call - is that just a copy/paste typo or did you query the wrong directory? – DaveRandom Aug 16 '12 at 13:30
sorry, yeah that is just a typo, its really $ds in everything, I just changed it fore ease of understanding, I'll edit that in the original question. And yeah I have been var_dumping the filter itself and it looks like this: (&(objectCategory=person)(sAMAccountName=uname)(memberOf=*CN=$ITAR*)) – Ryan Aug 16 '12 at 13:33
@Ryan Do me a favour, run [this](http://codepad.org/cy9lta3v) and add the **exact** output to the question. – DaveRandom Aug 16 '12 at 13:44
@Ryan God I hate that stupid array format that `ldap_get_entries()` returns - give me a couple of minutes to decode it. – DaveRandom Aug 16 '12 at 14:15
@Ryan OK that's weird, that should be matching. So you have definitely done `ldap_set_option($url, LDAP_OPT_PROTOCOL_VERSION, 3);`? And have you set any other options? I'm guessing the problem here is that the value you are looking for is not the first value for the attribute, but I have never had this cause me a problem before. Try removing the leading `*` from the `memberOf` clause in the filter. – DaveRandom Aug 16 '12 at 14:28
I'm not sure what the issue is, it still is showing 0 results. I only have the option you mentioned set, and used your code exactly. It would be weird if the position of the value would affect this – Ryan Aug 16 '12 at 15:00
@Ryan Well, the work around for this would be to use the code used in generating the first `var_dump()` you posted, and `strpos()` for the value you are looking for in all the attributes values. I'm now starting to wonder if this is some kind of weird character set issue, or possibly if the filter is not liking the `=` sign in the value you are searching for. Try changing the filter to `$filter = "(&(objectCategory=person)(sAMAccountName=$p_username)(memberOf=*CN\\3d\$ITAR*))";` – DaveRandom Aug 16 '12 at 15:15
If that doesn't work try simply `$filter = "(&(objectCategory=person)(sAMAccountName=$p_username)(memberOf=*\$ITAR*))"‌;` – DaveRandom Aug 16 '12 at 15:16
well, I got it to work, but I had to manually go in and define it using strpos(). Still not sure why this is acting so weird, but thanks for the help! – Ryan Aug 16 '12 at 17:59

issues using memberOf clause in ldap query

Code Result

1 Answers1