9

I'm performing a search on my LDAP server using adLDAP and CodeIgniter. What I want to search is basically accounts that have been deactivated from the LDAP server. In my PHP code I have the following to call the adLDAP library: 

        $searchCriteria = array(
            "givenname"       => $values['givenName'],
            "sn"              => $values['sn'],
            "title"           => $values['title'],
            "mail"            => $values['mail'],
            "telephonenumber" => $values['telephonenumber'],
         );

//         echo "<pre>"; print_r($searchCriteria); echo "</pre>";

         // create the search filter
         $noOfFieldsSet = 0;
         $searchFilterA = '(objectClass=user)(samaccounttype='. ADLDAP_NORMAL_ACCOUNT .')(objectCategory=person)';
         $searchFilterB = '';
         foreach ($searchCriteria AS $key => $value)
         {
            if ($value)
            {
               $searchFilterB .= "(".$key."=".$wildcard.$value."*)";
               ++$noOfFieldsSet;
            }
         }
         // We perform a logical AND  or OR (depending on $logic) on all
         // specified search criteria to create the final search filter: 
         if ($logic == "&")
         {
            $searchFilter = "(".$logic." ".$searchFilterA.$searchFilterB.")";
         }
         else // logic = OR
         {
            $searchFilter = "(& ".$searchFilterA."(".$logic." ".$searchFilterB."))";
         }

//         echo $searchFilter."<br>";

         // define what attributes we want to get
         $attribs = array("displayname", "samaccountname", "mail", "telephonenumber", "title", "physicaldeliveryofficename");
         $resultEntries = $this->ad_ldap->search_directory($searchFilter, $attribs);

and then in this last line, the function ad_ldap->search directory from the adLDAP library is called, this function : 

   function search_directory($filter, $fields, $sorted = true)
   {
      if ( ! $this->_bind)
         return (false);

      $sr = ldap_search($this->_conn, $this->_base_dn, $filter, $fields);
      $entries = ldap_get_entries($this->_conn, $sr);

//      echo "<pre>"; print_r($entries); echo "</pre>";

      return $entries;
   }

This is how my LDAP tree structure looks like :

enter image description here

I would like to know how can I exclude those directories (pointed by the black arrow) and the other Inactive folder inside of the other "users" folder below that one.

The thing I'm not sure here is how to exclude directories or specify directories that I would like to get excluded.

Any help would be appreciated.

Sinisa Bobic
  • 1,311
  • 10
  • 15
VaTo
  • 2,936
  • 7
  • 38
  • 77
  • Which version of adldap are you using? It looks like the newer v2 version of the library supports checking disabled accounts: https://github.com/Adldap2/Adldap2/blob/master/src/Models/Concerns/HasUserAccountControl.php – webmaster777 Mar 04 '19 at 13:58

1 Answers1

1

You should add an exclusion filter to $searchFilterB:

$searchFilterA = '(objectClass=user)(samaccounttype='. ADLDAP_NORMAL_ACCOUNT .')(objectCategory=person)';
$searchFilterB = '(!(UserAccountControl:1.2.840.113556.1.4.803:=2))';

This is AD-specific query language saying: find all accounts that do not have the UF_ACCOUNTDISABLED flag on (which you can edit in AD user control by flipping the disabled switch).

webmaster777
  • 1,442
  • 2
  • 12
  • 17
  • you were pretty close, I had to use userAccountControl `$searchFilterA = '(objectClass=user)(samaccounttype='. ADLDAP_NORMAL_ACCOUNT .')(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))'; $searchFilterB = '';` The reason why I used userAccountControl: This attribute is composed of a combination of different flags. The flag for setting the object that you want to disable is UF_ACCOUNTDISABLE, which has a value of 0x02 (2 decimal). The bitwise comparison filter that specifies userAccountControl with the UF_ACCOUNTDISABLED bit set would resemble this: – VaTo Feb 28 '19 at 18:55
  • That answer can also be found here: https://stackoverflow.com/a/14153603/593868. Too bad the links to ms docs on this matter are dead. – webmaster777 Mar 04 '19 at 13:43