Windows Active Directory ldapsearch, and ldapmodify Usage from Linux + PHP

So in a recent project of mine, I had to utilize the ldap commands from a linux server to make modifications to a Active Directory tree.  I implemented this by using PHP’s exec() function that essentially allows you to run commands on the server in the background.  So a user would do an action on the front-end application that would trigger the exec function with its parameter containing an ldapserach,ldapmodify,ldapremove, or ldap add.

ldapsearch -x -h 'example.techmeout.tv' -b 'CN=Hansen\, Kevin,OU=Employee,OU=User-Accounts,DC=domain,DC=techmeout,DC=tv' -D 'example\Admin' -w 'examplepass'

So in this example, I am running an ldapsearch against my example.techmeout.tv active directory server.  I am searching for a user with the name “Kevin Hansen”.  The administrator account I am using has a username of Admin and a password of examplepass.

The main problem I have with ldapsearch and integrating it with a web application is the amount of time it takes to search.  To search through an Active Directory server with LDAP takes quite some time if there are many objects to go through.  So my only option was to throw my ldapsearches into a cron job that writes the output to a file.  My application front-end  would then pull the data from a file containing the data rather than a realtime ldapsearch.

Here is the cron job I configured.  Every 30 minutes it runs an ldapsearch and pulls in all the members of a group called “Groupname.”  It stores the returned data in a file ending in _WRITE.  Then after it writes the data there, it copies the file over to a file ending in _READ.  The reason I split the files up is because if someone were to be using the application while an ldapsearch is occuring, which we know takes some time, the dataset would be empty.  Since we are writing to a seperate file, and just copying it over(which is fast) to a file ending in _READ, the application has less chance of having empty datasets.

*/30 * * * * ldapsearch -x -h 'example.techmeout.tv' -b 'cn=Groupname,ou=Groups,dc=example,dc=techmeout,dc=tv' -D 'example\Admin' -w 'examplepass' > /usr/local/apache/www/html/application/store/Groupname_Members_WRITE; cp /usr/local/apache/www/html/application/store/Groupname_Members_WRITE /usr/local/apache/www/html/application/store/Groupname_Members_READ;chmod +r Groupname_Members_READ

So now that I have the data, and its updating every 30 minutes, my front end javascript GUI can make POST’S via AJAX to a PHP file that will return the ldap search data from the _READ file in JSON format.  Parsing the data is easy in PHP.  So below, we are reading from “../store/Groupanme_members_READ” file.  Then we are creating an array called “$jsonresult”.  Then we run a foreach() loop and loop through each line of data.  The str_replace and explode functions replaces some things that I had to clean from my data and breaks it down into an array.  Then it finishes by echo’ing the data inside a json_encode() function that returns the data in JSON format.

<?php

    $lines = file("../store/Groupname_Members_READ");
    $jsonresult = array();
    if($_GET['name'] == '') {
    foreach($lines as $line_num => $line) {
        $line = str_replace("member;range=0-1499: CN=","",$line);
        $line = explode("\\,",$line);
        $line = $line[0] . " " . $line[1];
        $line = explode(",",$line);
        $line = $line[0];
        $rowresult = array();
        $rowresult['name'] = $line;
        $jsonresult[] = $rowresult;
    }


?>

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>