ldapsearch on dn working, but not with php

Question

I'm working with a service provider, who handles the hosting of the virtual server and the configuration of the LDAP server.

My job is to create a PHP application that use the LDAP to create a user at login (to keep things simple).

After many shares with the service provider, I finally achieve to contact the LDAP server with the following:

ldapsearch -x -LLL -h vmdc2.local -D email@local -w myPassword -b"CN=xxx,OU=APPLICATIF,OU=GROUPES,OU=UTILISATEUR,DC=enterprise,DC=local"

It comes from the ldap-utils Linux packet. This query returns good results.

So I created a simple script, trying to use the previous DN to list the users in CLI, for proof of work in PHP.

<?php

// create connection to LDAP server
$ldapconn = ldap_connect("ldap://vmdc2.local")
    or die("Impossible to connect to the LDAP server.");

$ldapbind = ldap_bind($ldapconn, 'email@local', 'myPassword');

// check binding
if ($ldapbind) {
    echo "Successfully connected to LDAP !" . PHP_EOL;

    $dn = 'CN=xxx,OU=APPLICATIF,OU=GROUPES,OU=UTILISATEUR,DC=enterprise,DC=local';
    $sr = ldap_list($ldapconn, $dn, 'cn=*');
    if (false === $sr) {
        die('Impossible to use the dn: ' . $dn . PHP_EOL);
    }

    $info = ldap_get_entries($ldapconn, $sr);

    if ($info['count'] === 0) die('No entries :(');
    for ($i=0; $i < $info["count"]; $i++) {
        echo $info[$i]["cn"][0] . PHP_EOL;
    }
} else {
    $var = '';
    ldap_get_option($ldapconn, LDAP_OPT_ERROR_STRING, $var);

    echo "Connection to LDAP failed..." . PHP_EOL . $var . PHP_EOL;
}

The script output No entries :(

My questions

How can I get a different result from PHP on the same DN?
It is possible to configure how the LDAP server can answer, in the function of who is calling him?

It's my first time against LDAP, so I'm lost :/ Your help is really welcome!

Have you tried `$sr = ldap_search($ldapconn, $dn, '(objectClass=*)');`? `ldap_list` does a search only over the current tree-level and does not take subtrees into account whereas the CLI-Tool ldapsearch by default does a subtree search (IIRC) — heiglandreas, Mar 10 '20 at 13:53
Then your DN might be too specific. Can you try `$dn = 'OU=APPLICATIF,OU=GROUPES,OU=UTILISATEUR,DC=enterprise,DC=local';` to see whether that gets you some results? — heiglandreas, Mar 11 '20 at 07:47
With this DN I got some results (finally ^^), but it's groups, and not users ... According to your first comment, do you know a way to list the "tree-path" of entries with `ldapsearch`? — Mcsky, Mar 11 '20 at 10:37
Sure it's groups. Your DN specifies so ;-) You probably want to use something like `OU=UTILISATEUR,DC=enterprise,DC=local` as DN and then at first use `ldap_list` to get the nodes at that level. I expect there to be something like ` `OU=PEOPLE,OU=UTILISATEUR,DC=enterprise,DC=local` but that might be wrong. Have a chat with the person that manages your LDAP regarding the structure... Or use something like Apache DirectoryService to explore the directory on your own — heiglandreas, Mar 11 '20 at 13:04

ldapsearch on dn working, but not with php

0 Answers0