1

I would like to get a list of all the DNs that are inside an Active Directory while only having the base DN.

Also a list of all the groups and group members.

The language used is PHP.

If PHP is a bad choice for this task, what language would you recommend?

Cheers,

Faisal Al-Tameemi
  • 39
  • 5
  • 1
    Have you already been able to connect to the LDAP server and query it? If so, what code do you have so far? Most of the magic here is going to be in crafting the search query. – Charles Jun 06 '12 at 19:27

2 Answers2

1

PHP has an LDAP extension. As long as your PHP installation has that extension enabled, you should be able to effortlessly connect to an AD server and perform your queries.

After that, it's just a matter of performing basic function calls: ldap_connect(), ldap_bind(), ldap_search(), ldap_get_entries() and then iterating over the result set.

Keep in mind that if you wish to perform changes to AD (which doesn't seem to be the case here), you'll have to connect through SSL, which might have a few gotchas involving making PHP see your AD's SSL certificate as trusted.

mpontes
  • 2,936
  • 1
  • 20
  • 22
  • mpontes : thank you, but to rephrase my question, would i be able to access all the groups and members after connecting (using ONLY the base DN), meaning all the sub groups? because my AD has a tree structure. so would i be able to access even the deepest node with the base DN? – Faisal Al-Tameemi Jun 07 '12 at 13:31
  • If your question is regarding the actual LDAP search query you have to issue and not how to connect to LDAP and perform a search through PHP, then @Terry Gardner's answer should be the one you're looking for. – mpontes Jun 07 '12 at 16:40
1

Use:

  • Use an empty string or your base DN for the base object
  • (objectClass=*) for the filter
  • wholeSubtree or 2 or sub for the search scope
  • 1.1 for the requested attribute list.

1.1 is an OID that matches no attribute type and the server should return only the distinguished names (no attributes). (objectClass=*) is a present filter - all LDAP entries have at least the objectClass attribute.

This will return a list of all distinguished names -- assuming the directory server administrators allow LDAP clients to trawl the directory server database (some administrators will not permit this).

Group distinguished names will be returned also. Which entries are members of the groups will depend on the attribute used to name the members.

Terry Gardner
  • 10,957
  • 2
  • 28
  • 38