Active Directory search using DN (distinguished name)

Question

I am working on a PHP function to get the manager of an active directory user(using the users email address). After getting the manager, I want to get the managers e-mail address.

I use this code to get the manager:

    //Search using a filter.
    $result = ldap_search($connect,$ldaptree, "(mail=useremail@domain.de)") or die ("Error in search query: ".ldap_error($connect));
    $data = ldap_get_entries($connect, $result);


    // iterate over array and print data for each entry
    echo '<h1>Show me the users</h1>';
    for ($i=0; $i<$data["count"]; $i++) {

        echo "Manager: " . print_r($data[$i]["manager"]) . "<br />";

The code is working and I am getting correct values when searching for users email or other attributes. But when I am searching for the manager echo "Manager: " . print_r($data[$i]["manager"]) . "<br />"; then I get the DN (distinguished name) of the manager. For example: "Array ( [count] => 1 [0] => CN=LASTNAME\, FIRSTNAME,OU=01_User,DC=int,DC=domain,DC=de ) Manager: 1"

Now the problem is, when I try to search for the managers email address, using the DN as filter

$result = ldap_search($connect,$ldaptree, "(DN=".$data[$i]["manager"]."") or die ("Error in search query: ".ldap_error($connect));

Then I get an "Array to string convertion error". If I use print_r($data[$i]) to convert to string, then I get "Error in search query: Bad search filter".

So my question is, how can I use the DN to get the attributes of the user behind the DN? Is it possible to filter for a DN? Do I have to process the DN string?

Hope someone can help me. Thank you!

Gabriel Luci · Answer 1 · 2019-10-04T11:32:31.903

1

Your code has a few issues:

The error message is correct. You are giving it an array, not a string. I think you mean to use the manager attribute there ($data[$i]["manager"][0], not $data[$i]). In the search results, attributes are all presented as arrays, even if they are single-valued attributes (like manager).
You are missing the closing parenthesis in the LDAP query. It should look like this:
If you are indeed using Active Directory, the attribute is called distinguishedName, not DN (I believe some OpenLDAP implementations use DN, which is why that shows up in documentation).

So your code should look like this:

$result = ldap_search($connect,$ldaptree, "(distinguishedName=" . $data[$i]["manager"][0] . ")") or die ("Error in search query: ".ldap_error($connect));

edited Oct 04 '19 at 11:32

answered Oct 02 '19 at 13:34

Gabriel Luci

38,328
4
55
84

Yes thats right. It has to be '$data[$i]["manager"]'. But I still get the same Error. If I use "$data[$i]["manager"]" then I get "Array to string conversion" Error. If I use "print_r($data[$i]["manager"])" then I get "Array ( [count] => 1 [0] => CN=LASTNAME\, FIRSTNAME,OU=01_User,DC=int,DC=domain,DC=de ) Manager: 1" – Sardar Agabejli Oct 04 '19 at 09:09
1

Right. The attributes are often returned as arrays themselves, even if they are single-valued. So use `$data[$i]["manager"][0]`. – Gabriel Luci Oct 04 '19 at 11:32
Thankyou! This solved the array to string conversion problem! – Sardar Agabejli Oct 04 '19 at 11:37

heiglandreas · Accepted Answer · 2019-10-05T07:11:09.680

1

You should be able to retrieve the Manager by calling ldap_search directly with the DN of the manager as BaseDN and a filter of (objectclass=*)

$result = ldap_search($connect, $data[$i]['manager'][0], '(objectclass=*)');

I updated the answer with the feedback from the OP.

edited Oct 05 '19 at 07:11

answered Oct 04 '19 at 07:50

heiglandreas

3,803
1
17
23

Thankyou very much! Now I understand. But now I get "ldap_search(): Search: Invalid DN syntax" Error. Same if I use "print_r($data[$i]['manager'])". – Sardar Agabejli Oct 04 '19 at 10:05
How can that be? Because I am using the DN I got from the manager attribute of a User. – Sardar Agabejli Oct 04 '19 at 10:31
OK, your code is the correct way to search for a DN. My problem is, that when I get that DN array value of a Users Manager and convert it to a string, then there is always the ArrayID set as first character in the string. I solved the problem by removing the first char of the string. But how can this happen? Or what am I do wrong?! "$managerDN = substr($managerDN, 1);" – Sardar Agabejli Oct 04 '19 at 10:57
Thats what I get: "1CN=LASTNAME\, FIRSTNAME,OU=01_User,DC=int,DC=domain,DC=de". As you can see, there is "1" set as the first char. But why? – Sardar Agabejli Oct 04 '19 at 11:14
So its working when I use "substr($managerDN, 1);" to remove the first char. But this is only a workarround. Not a elegant way to solve the problem... – Sardar Agabejli Oct 04 '19 at 11:17

Active Directory search using DN (distinguished name)

2 Answers2