Skip to content

Instantly share code, notes, and snippets.

Forked from leftclickben/test-ldap-2.php
Created May 5, 2018 04:36
  • Star 0 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
Star You must be signed in to star a gist
What would you like to do?
Open a connection to an LDAP server, query it for a given user, and check group membership for that user (test script)
# Parse options
$opts = getopt('h:n:u:p:b:s:', array( 'help' ));
if (isset($opts['help']) && $opts['help']) {
echo <<<ENDHELP
$argv[0] [-h HOSTNAME] [-n PORTNUM] [-u USERNAME] [-p PASSWORD] [-b BASEDN] [-s SEARCH]
HOSTNAME is the LDAP hostname to connect to; omit to use default (
PORTNUM is the port number to connect to; omit to use default (389)
USERNAME is the username passed to ldap_bind(); omit to bind anonymously
PASSWORD is the password passed to ldap_bind(); omit to bind without a password
BASEDN is the base DN passed to ldap_search(); omit to use the default (DC=nexus,DC=csiro,DC=au)
SEARCH is the search string passed to ldap_search(); omit to use the default (sAMAccountName=gib392)
# Extract options into variables
$hostname = isset($opts['h']) ? $opts['h'] : '';
$port_num = isset($opts['n']) ? intval($opts['n']) : 389;
$username = isset($opts['u']) ? $opts['u'] : null;
$password = isset($opts['p']) ? $opts['p'] : null;
$base_dn = isset($opts['b']) ? $opts['b'] : 'DC=nexus,DC=csiro,DC=au';
$search = isset($opts['s']) ? $opts['s'] : 'sAMAccountName=gib392';
# Connect to LDAP
echo "Executing: ldap_connect('$hostname', $port_num)" . PHP_EOL;
$ldap = ldap_connect($hostname, $port_num);
# Protocol version 3 and no referrals are required for AD
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
# Bind to LDAP
echo "Executing: ldap_bind(<ldap>, '$username', '$password')" . PHP_EOL;
$bind_result = ldap_bind($ldap, $username, $password);
if (!$bind_result) {
echo "Error: Could not bind: " . PHP_EOL . ldap_error($ldap) . PHP_EOL;
# Perform search
echo "Executing: ldap_search(<ldap>, '$base_dn', '$search')" . PHP_EOL;
$results = ldap_search($ldap, $base_dn, $search);
if (!$results) {
echo "Error: Could not search" . PHP_EOL . ldap_error($ldap) . PHP_EOL;
# Output results
echo "Got results fro LDAP search..." . PHP_EOL;
print_r(ldap_get_entries($ldap, $results));
// USAGE: test-ldap.php <username>
// This will check the given <username> for access and group membership. The <username> is required.
// Note that the username and password used for the bind() operation is defined as a constant and is not
// necessarily the same as the username given as argument to the script.
// These constants need values which are environment-specific.
define('HOSTNAME', ''); // This was a normal FQHN, e.g. ""
define('USERNAME', ''); // This is a Windows login workgroup style username, e.g. "WORKGROUP\joe.bloggs"
define('PASSWORD', ''); // Plain text password, e.g. "password"
define('BASE_DN', ''); // The base distinguished name, consisting of several domain components, e.g. "DC=domain,DC=org,DC=au"
define('USER_OU', ''); // The organisation unit hierarchy describing where users are, e.g. "OU=Users,OU=Department,OU=TheCompany"
define('GROUP_DN', ''); // Pipe-separated list of distinguished names of groups to match against, e.g. "CN=UserGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au|CN=AdminGroup,OU=Department,OU=TheCompany,DC=domain,DC=org,DC=au"
define('ATTRIBUTE', ''); // The attribute used to match against the entered username, e.g. in our case, "sAMAccountName"
$ldap = ldap_connect(HOSTNAME);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!ldap_bind($ldap, USERNAME, PASSWORD)) {
die('Authentication error' . PHP_EOL);
$search = sprintf('%s,%s', USER_OU, BASE_DN);
$filter = sprintf('%s=%s', ATTRIBUTE, (isset($argv[1]) ? $argv[1] : ''));
$results = ldap_search($ldap, $search, $filter, array( ATTRIBUTE, 'givenName', 'sn', 'memberOf' ));
if (!$results) {
die('Search error' . PHP_EOL);
$entry = ldap_first_entry($ldap, $results);
if (!$entry) {
die('No results found' . PHP_EOL);
$attrs = ldap_get_attributes($ldap, $entry);
echo 'Success! Found ' . $attrs['givenName'][0] . ' ' . $attrs['sn'][0] . PHP_EOL;
$keys = array_filter(array_keys($attrs), function ($item) {
return !is_numeric($item);
$groups = explode('|', GROUP_DN);
$match = sizeof(array_intersect($groups, $attrs['memberOf'])) > 0;
echo $match ? 'Found group, user can login' . PHP_EOL : 'Did not find group' . PHP_EOL;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment