PHP LDAP получаем участников Container/Group/OU Active Directory преодолевая ограничение в 1000 результатов.
Естественно нужно установить и настроить PHP и модули для работы по LDAP.
После приступаем к созданию скрипта, на данном примере.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 |
<?php function mydap_start($username,$password,$host,$port=389) { global $mydap; if(isset($mydap)) die('Error, LDAP connection already established'); // Connect to AD $mydap = ldap_connect($host,$port) or die('Error connecting to LDAP'); ldap_set_option($mydap,LDAP_OPT_PROTOCOL_VERSION,3); @ldap_bind($mydap,$username,$password) or die('Error binding to LDAP: '.ldap_error($mydap)); return true; } function mydap_end() { global $mydap; if(!isset($mydap)) die('Error, no LDAP connection established'); // Close existing LDAP connection ldap_unbind($mydap); } function mydap_attributes($user_dn,$keep=false) { global $mydap; if(!isset($mydap)) die('Error, no LDAP connection established'); if(empty($user_dn)) die('Error, no LDAP user specified'); // Disable pagination setting, not needed for individual attribute queries ldap_control_paged_result($mydap,1); // Query user attributes $results = (($keep) ? ldap_search($mydap,$user_dn,'cn=*',$keep) : ldap_search($mydap,$user_dn,'cn=*')) or die('Error searching LDAP: '.ldap_error($mydap)); $attributes = ldap_get_entries($mydap,$results); // Return attributes list if(isset($attributes[0])) return $attributes[0]; else return array(); } function mydap_members($object_dn,$object_class='g') { global $mydap; if(!isset($mydap)) die('Error, no LDAP connection established'); if(empty($object_dn)) die('Error, no LDAP object specified'); // Determine class of object we are dealing with // Groups, use range to overcome LDAP attribute limit if($object_class == 'g') { $output = array(); $range_size = 1500; $range_start = 0; $range_end = $range_size - 1; $range_stop = false; do { // Query Group members $results = ldap_search($mydap,$object_dn,'cn=*',array("member;range=$range_start-$range_end")) or die('Error searching LDAP: '.ldap_error($mydap)); $members = ldap_get_entries($mydap,$results); $member_base = false; // Determine array key of the member results // If array key matches the format of range=$range_start-* we are at the end of the results if(isset($members[0]["member;range=$range_start-*"])) { // Set flag to break the do loop $range_stop = true; // Establish the key of this last segment $member_base = $members[0]["member;range=$range_start-*"]; // Otherwise establish the key of this next segment } elseif(isset($members[0]["member;range=$range_start-$range_end"])) $member_base = $members[0]["member;range=$range_start-$range_end"]; if($member_base && isset($member_base['count']) && $member_base['count'] != 0) { // Remove 'count' element from array array_shift($member_base); // Append this segment of members to output $output = array_merge($output,$member_base); } else $range_stop = true; if(!$range_stop) { // Advance range $range_start = $range_end + 1; $range_end = $range_end + $range_size; } } while($range_stop == false); // Containers and Organizational Units, use pagination to overcome SizeLimit } elseif($object_class == 'c' || $object_class == "o") { $pagesize = 1000; $counter = ""; do { ldap_control_paged_result($mydap,$pagesize,true,$counter); // Query Container or Organizational Unit members $results = ldap_search($mydap,$object_dn,'objectClass=user',array('sn')) or die('Error searching LDAP: '.ldap_error($mydap)); $members = ldap_get_entries($mydap, $results); // Remove 'count' element from array array_shift($members); // Pull the 'dn' from each result, append to output foreach($members as $e) $output[] = $e['dn']; ldap_control_paged_result_response($mydap,$results,$counter); } while($counter !== null && $counter != ""); // Invalid object_class specified } else die("Invalid mydap_member object_class, must be c, g, or o"); // Return alphabetized member list sort($output); return $output; } // ================================================================================== // Example Usage // ================================================================================== // Establish connection mydap_start( 'joe@ad.local', // Active Directory search user 'password', // Active Directory search user password 'ad.local', // Active Directory server 389 // Port (optional) ); // Query users using mydap_members(object_dn,object_class) // The object_dn parameter should be the distinguishedName of the object // The object_class parameter should be 'c' for Container, 'g' for Group, or 'o' for Organizational Unit // If left blank object_class will assume Group // Ex: the default 'Users' object in AD is a Container // The function returns an array of member distinguishedName's $members = mydap_members('CN=Users,DC=ad,DC=local','c'); if(!$members) die('No members found, make sure you are specifying the correct object_class'); // Now collect attributes for each member pulled // Specify user attributes we want to collect, to be used as the keep parameter of mydap_attributes $keep = array('samaccountname','mail','employeeID'); // Iterate each member to get attributes $i = 1; // For counting our output foreach($members as $m) { // Query a user's attributes using mydap_attributes(member_dn,keep) // The member_dn is the step $m of this foreach $attr = mydap_attributes($m,$keep); // Each attribute is returned as an array, the first key is [count], [0]+ will contain the actual value(s) // You will want to make sure the key exists to account for situations in which the attribute is not returned (has no value) $employeeID = isset($attr['employeeid'][0]) ? $attr['employeeid'][0] : "[no employee ID]"; $samaccountname = isset($attr['samaccountname'][0]) ? $attr['samaccountname'][0] : "[no account name]"; $mail = isset($attr['mail'][0]) ? $attr['mail'][0] : "[no email]"; // Do what you will, such as store or display member information echo "$i. $samaccountname, $mail - $employeeID<br>"; $i++; } // Here you could run another mydap_members() if needed, merge with previous results, etc. // Close connection mydap_end(); // Here you can open a new connection with mydap_connect() if needed, such as to a different AD server ?> |
Добрый день. Подскажите как поправить скрипт так, чтобы он не показывал members из дочерних групп и/или контейнеров? Ато если направить его на определенный OU — скрипт показывает огромный список пользователей из дочерних групп/контейнеров.
Не совсем понял вопроса, как то он сам себя исключает.
Здесь все в параметрах поиска
$members = mydap_members('CN=Users,DC=ad,DC=local','c');Попробуйте тут указать конкретную OU