how to search for certain logon script in LDAP directory using PHP?

Question

I'm trying to get all user's full name from an active directory based on certain logon script ex:"Staff" in their profile in the active directory not based on organizational units.

Here is my code:

<?php
// active directory 
$ldap_host    = "xxx";
$ldap_port    = "xxx";
// Active Directory DN
$ldap_dn[]    = "ou=Staff,DC=xxx,DC=xxx,DC=xx";
$ldap_dn[]    = "ou=Faculty,DC=xxx,DC=xxx,DC=xx";
// Domain, for purposes of constructing $user
$ldap_usr_dom = "@xxx.xxx.xx";
// connect to active directory
$ldap         = ldap_connect($ldap_host, $ldap_port);
$ldap_id[]    = $ldap;
$ldap_id[]    = $ldap;
$username     = "xxx";
$password     = "xxx";
// verify user and password
if ($bind = @ldap_bind($ldap, $username . $ldap_usr_dom, $password)) {
    $filter = "(objectCategory=person)";
    $result = ldap_search($ldap_id, $ldap_dn, $filter) or exit("Unable to search LDAP server");
    foreach ($result as $value) {
        if (ldap_count_entries($ldap, $value) > 0) {
            $search = $value;
            break;
        }
    }

    if ($search) {
        $entries = ldap_get_entries($ldap, $search);
        for ($x = 0; $x < $entries['count']; $x++) {
            if (!empty($entries[$x]['cn'][0])) {
                $ad_users[$x] = $entries[$x]['cn'][0];
                print_r($ad_users);
                echo $ad_users[$x]."<br>";
            }
        }
    }
    ldap_unbind($ldap); // Clean up after ourselves.
}

$m .= "Retrieved " . count($ad_users) . " Active Directory users\n";
echo $m;
?>

My code retrieve all users under Staff unit with different logon script some are Staff and other are User.

@Epodax how to get only users who has Staff logon script in their profile at the active directory ? — Learner, Dec 21 '15 at 11:56
how are the scripts assigned to user's? Via Group Policy or manually added to profile in AD? — Professor Abronsius, Dec 21 '15 at 12:04
@RamRaider Yes we assign it manually when we create the users — Learner, Dec 21 '15 at 12:51
what flavour of Windows Server is it? 2003,2008 or 2012? Seems odd in this dayand age that you would decide not to use a GP to assign the script but each org has it's own ways I guess. Anyway, glad the little snippet helped! — Professor Abronsius, Dec 21 '15 at 12:53

Professor Abronsius · Accepted Answer · 2015-12-21T12:24:31.820

0

You could try, for the ldap filter, the following perhaps:

$script='staff.vbs';
$filter = "(&(objectCategory=person)(objectClass=user)(scriptPath={$script}))";

edited Dec 21 '15 at 12:24

answered Dec 21 '15 at 12:13

Professor Abronsius

33,063
5
32
46

Sir last question: what if the logon script is more than one word, say for exaple: Staff and Staff_Logos. How to edit your lines ? – Learner Dec 22 '15 at 07:55
You should, probably, be able to use wildcards within the expression. http://stackoverflow.com/questions/9564120/using-wildcards-in-ldap-search-filters-queries or http://forums.asp.net/t/1029112.aspx?How+to+query+LDAP+using+LIKE+statement – Professor Abronsius Dec 22 '15 at 08:01

how to search for certain logon script in LDAP directory using PHP?

1 Answers1