ldap filter for distinguishedName
dn
is not an attribute. Only attribute types, OIDs, and names can be used in filters.
When you get the manager
attribute, to get the attributes for the DN that is the manager, use the value of the manager
attribute as the base object in a search request. Set the scope of the search to BASE
, the filter to either (&)
or (objectClass=*)
and request the attributes required. Then transmit the search request to the server and interpret the response.
dnagirl
Updated on March 16, 2021Comments
-
dnagirl about 3 years
I am successfully querying our Active Directory for a user with the following code:
$filter = (&(objectCategory=person)(samaccountname=someusername)); $fields = array("samaccountname","mail","manager","department","displayname","objectGUID"); $user = ldap_search($ldapconnection, $baseDn, $filter, $fields);
The resulting array gives this value for the
manager
attribute:CN=McBossy\, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com
This looks like a distinguishedName to me. But when I try to query for the manager's record,
$filter = (&(objectCategory=person)(dn='CN=McBossy\, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com')); $manager = ldap_search($ldapconnection, $baseDn, $filter, $fields);
the query fails with
PHP Warning: ldap_search(): Search: Bad search filter
I've tried a number of possibilities including different quotation, more parentheses, using
distinguishedName
rather thandn
, etc.What am I doing wrong and what is the right way to get the manager's record?
-
dnagirl almost 11 yearsok. Then, given that the only link to a user's manager (so far as I know) is the
manager
attribute, how do I use that information to get the manager's user record? -
dnagirl almost 11 yearsWouldn't that find all the people who had my current user as a manager? I want to get the manager of my current user. Sorry if I'm being thick.
-
Terry Gardner almost 11 yearsYes, it would. I re-read your question and updated my answer.
-
Brian Ashe over 4 yearsHi, I'm in the same boat -- I can query a user by email, get their manager in the result, then I want to get their manager's manager, but all I have to work with from the first AD result is "CN=McBossy\, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com". I don't know enough about AD to make use of this answer. I understand when you say that you can't search by DN, but how do I "set the scope of the search to BASE"? I'm using almost the same code as @dnagirl to start.
-
dnagirl over 4 years@BrianAshe, php's ldap_search is a wrapper for ldapsearch. To understand the options, have a look here: access.redhat.com/documentation/en-US/Red_Hat_Directory_Server/… You're probably most interested in the
-b
option -
Peter Thoeny almost 4 yearsThe full DN in the search filter did not work for me until I escaped special characters (in my case parenthesis) - see stackoverflow.com/questions/4827263/…