ldap_add
(PHP 4, PHP 5, PHP 7, PHP 8)
ldap_add — LDAP ディレクトリにエントリを付加する
説明
エントリを LDAP ディレクトリに追加します。
パラメータ
ldap
-
ldap_connect() が返す LDAP\Connection クラスのインスタンス。
dn
-
LDAP エンティティの識別名。
entry
-
そのエントリに関する情報を表す配列。 エントリの値は、個々の属性によりインデックスが作成されています。 ある属性に関して複数の値がある場合は、0 から始まる整数で 添字が作成されます。
<?php
$entry["attribute1"] = "value";
$entry["attribute2"][0] = "value1";
$entry["attribute2"][1] = "value2";
?> controls
-
リクエストと一緒に送信する LDAP コントロール の配列
変更履歴
バージョン | 説明 |
---|---|
8.1.0 |
引数 ldap は、LDAP\Connection
クラスのインスタンスを期待するようになりました。
これより前のバージョンでは、有効な ldap link リソース を期待していました。
|
8.0.0 |
controls は、nullable になりました。
これより前のバージョンでは、デフォルト値が [] でした。
|
7.3.0 |
controls のサポートが追加されました。
|
例
例1 認証型バインドの例
<?php
$ds = ldap_connect("localhost"); // LDAP サーバーはこのホストであると仮定
if ($ds) {
// 更新アクセスを行うために適当な dn でバインドする
$r = ldap_bind($ds, "cn=root, o=My Company, c=US", "secret");
// データを準備する
$info["cn"] = "John Jones";
$info["sn"] = "Jones";
$info["objectclass"] = "person";
// データをディレクトリに追加
$r = ldap_add($ds, "cn=John Jones, o=My Company, c=US", $info);
ldap_close($ds);
} else {
echo "LDAP サーバーに接続できません";
}
?>
注意
注意: この関数はバイナリデータに対応しています。
+add a note
User Contributed Notes 23 notes
stian ¶
17 years ago
This solution works for us.
In the form the CN and pwdtxt are randomly generated from strict rules.
This script creates 50-60 users i AD pr.day! and never even had a glitch!
<?php
## From form
$CN = $_POST['CN'];
$givenName = $_POST['givenName'];
$SN = $_POST['SN'];
$mail = $_POST['mail'];
$Phone = $_POST['Phone'];
$pwdtxt = $_POST['pwdtxt'];
$AD_server = "localhost:390"; // Local Stunnel --> http://www.stunnel.org/
$AD_Auth_User = "administrator@student.somwhere.com"; //Administrative user
$AD_Auth_PWD = "duppiduppdupp"; //The password
$dn = 'CN='.$CN.',OU=Brukere,DC=student,DC=somwhere,DC=com';
## Create Unicode password
$newPassword = "\"" . $pwdtxt . "\"";
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++) {
$newPassw .= "{$newPassword{$i}}\000";
}
## CONNNECT TO AD
$ds = ldap_connect($AD_server);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // IMPORTANT
$r = ldap_bind($ds, $AD_Auth_User, $AD_Auth_PWD); //BIND
$ldaprecord['cn'] = $CN;
$ldaprecord['givenName'] = $givenName;
$ldaprecord['sn'] = $SN;
$ldaprecord['objectclass'][0] = "top";
$ldaprecord['objectclass'][1] = "person";
$ldaprecord['objectclass'][1] = "organizationalPerson";
$ldaprecord['objectclass'][2] = "user";
$ldaprecord['mail'] = $mail;
$ldaprecord['telephoneNumber'] = $Phone;
$ldaprecord["unicodepwd"] = $newPassw;
$ldaprecord["sAMAccountName"] = $CN;
$ldaprecord["UserAccountControl"] = "512";
//This is to prevent the user from beeing disabled. -->
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
$r = ldap_add($ds, $dn, $ldaprecord);
} else {
echo "cannot connect to LDAP server at $AD_server.";
}
?>
This is code example creates a user i AD.
We use this on an internal web page to create
temporary users that kan access the wireless network.
We have a .pl script that deletes the users after 24H.
damien at groovey dot com ¶
18 years ago
Here is how to add a user with a hashed MD5 password to OpenLDAP. I used this technique to migrate Drupal accounts into OpenLDAP for a single-sign-on solution.
The trick to it is to tell OpenLDAP the hash type (e.g. {MD5}) before the password, and also to base64 encode the BINARY hashed result. You cannot just base64 encode what is returned by PHP's md5() or sha() hash functions, because they return a hexadecimal text string. First you must use pack("H*", $hash_result) to make that a binary string, THEN you can base64 encode it.
Here is complete code for connecting and adding a user with a hashed password. You don't have to use {MD5}, you could pick a different hash if that is what you have. The output from one of these hashed passwords will look like this: {md5}bdwD04RS9xMDGVi1n/H36Q==
Finally some caveats: This technique will not work if you hashed the password using a salt value (but Drupal does not). This technique will also certainly not work with active directory, where passwords can definitely only be set over SSL connections and hashing probably works differently.
---- snip ----
$ds = ldap_connect($serverAddress);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // otherwise PHP defaults to ldap v2 and you will get a Syntax Error!
$r = ldap_bind($ds, $managerDN, $managerPassword);
$ldaprecord['cn'] = $newuser_username;
$ldaprecord['givenName'] = $newuser_firstname;
$ldaprecord['sn'] = $newuser_surname;
// put user in objectClass inetOrgPerson so we can set the mail and phone number attributes
$ldaprecord['objectclass'][0] = "person";
$ldaprecord['objectclass'][1] = "organizationalPerson";
$ldaprecord['objectclass'][2] = "inetOrgPerson";
$ldaprecord['mail'] = $newuser_email_address;
$ldaprecord['telephoneNumber'] = $newuser_phone_number;
// and now the tricky part, base64 encode the binary hash result:
$ldaprecord['userPassword'] = '{MD5}' . base64_encode(pack('H*',$newuser_md5hashed_password));
// If you have the plain text password instead, you could use:
// $ldaprecord['userPassword'] = '{MD5}' . base64_encode(pack('H*',md5($newuser_plaintext_password)));
$r = ldap_add($ds, $base_user_dn, $ldaprecord);
} else { die "cannot connect to LDAP server at $serverAddress."; }
Axel D. (FRANCE) ¶
21 years ago
Try this script if you don't know how to add an user in the AD Win2K.
To have more informations about the attributes, open the adsiedit console in the Support Tools for Win2K.
$adduserAD["cn"][0] =
$adduserAD["instancetype"][0] =
$adduserAD["samaccountname"][0] =
$adduserAD["objectclass"][0] = "top";
$adduserAD["objectclass"][1] = "person";
$adduserAD["objectclass"][2] = "organizationalPerson";
$adduserAD["objectclass"][3] = "user";
$adduserAD["displayname"][0] =
$adduserAD["name"][0] =
$adduserAD["givenname"][0] =
$adduserAD["sn"][0] =
$adduserAD["company"][0] =
$adduserAD["department"][0] =
$adduserAD["title"][0] =
$adduserAD["description"][0] =
$adduserAD["mail"][0] =
$adduserAD["initials"][0] =
$adduserAD["samaccountname"][0] =
$adduserAD["userprincipalname"][0] =
$adduserAD["profilepath"][0] =
$adduserAD["manager"][0] = ***Use DistinguishedName***
if (!($ldap = ldap_connect("localhost"))) {
die ("Could not connect to LDAP server");
}
if (!($res = @ldap_bind($ldap, "user@pc.com", $password))) {
die ("Could not bind to the LDAP account");
}
if (!(ldap_add($ldap, "CN=New User,OU=OU Users,DC=pc,DC=com", $adduserAD))){
echo "There is a problem to create the account
echo "Please contact your administrator !";
exit;
}
ldap_unbind($ldap);
theiderich AT laweekly dot com ¶
19 years ago
When adding/editing attributes for a user, keep in mind that the 'memberof' attribute is a special case. The memberOf attribute is not an accessible attribute of the user schema. To add someone to a group, you have to add the user in the group, and not the group in the user. You can do this by accessing the group attribute 'member':
<?php
$group_name = "CN=MyGroup,OU=Groups,DC=example,DC=com";
$group_info['member'] = $dn; // User's DN is added to group's 'member' array
ldap_mod_add($connect,$group_name,$group_info);
?>
ondrej dot duchon at t-systems dot cz ¶
20 years ago
jharnett at artschool dot com:
For active user in AD u must change "useraccountcontrol" to 512, 512 = enabled, 514 = disabled
phil at networkalliance dot com ¶
16 years ago
I created a simple function that can be called to create global distribution groups in Active Directory:
<?php
function ldap_createGroup($object_name, $dn, $members, $ldap_conn)
{
$addgroup_ad['cn']="$object_name";
$addgroup_ad['objectClass'][0] = "top";
$addgroup_ad['objectClass'][1] ="group";
$addgroup_ad['groupType']="2";
$addgroup_ad['member']=$members;
$addgroup_ad["sAMAccountName"] =$object_name;
ldap_add($ldap_conn,$dn,$addgroup_ad);
if(ldap_error($ldap_conn) == "Success")
return true;
else
return false;
}
?>
You can call this function using the follow code:
<?php
$ldap_conn = ldap_bind();
$object_name="Test Group";
$dn="CN=".$object_name.",OU=PathToAddGroupTo,OU=All Users,DC=YOURDOMAIN,DC=COM";
$members[] ="CN=User1,OU=PathToAddGroupTo,OU=All Users,DC=YOURDOMAIN,DC=COM";
$members[] ="CN=User2,OU=PathToAddGroupTo,OU=All Users,DC=YOURDOMAIN,DC=COM";
ldap_createGroup($object_name, $dn, $members, $ldap_conn);
?>
The other function I created is ldap_bind(), and this can be used to bind to an LDAP server:
<?php
function ldap_bind()
{
$ldap_addr = '192.168.1.1'; // Change this to the IP address of the LDAP server
$ldap_conn = ldap_connect($ldap_addr) or die("Couldn't connect!");
ldap_set_option($ldap_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldap_rdn = "domain_name\\user_account";
$ldap_pass = "user_password";
// Authenticate the user against the domain controller
$flag_ldap = ldap_bind($ldap_conn,$ldap_rdn,$ldap_pass);
return $ldap_conn;
}
?>
sergioshev ¶
16 years ago
once i'am having problmes to add attributes with boolean syntax (1.3.6.1.4.1.1466.115.121.1.7)
$['boolean_attr']=true; //give me one warning, ldap_add(): Add: Invalid syntax
solved this by setting the value on this:
$['boolean_attr']='TRUE';
hope this can helps.
spam2004 at turniton dot dk ¶
20 years ago
To add a group in Windows AD..
$object_name="testgroup2";
$members[]="CN=THU,ou=Users,dc=addomain,dc=domain,dc=dk";
$members[]="CN=testgroup2,ou=Groups,dc=addomain,dc=domain,dc=dk";
$addgroup_ad['cn']="$object_name";
$addgroup_ad['objectClass'][0] = "top";
$addgroup_ad['objectClass'][1] ="group";
$addgroup_ad['descripton']=$object_description;
$addgroup_ad['member']=$members;
$addgroup_ad["sAMAccountName"] =$object_name;
// notice param 2 (dn) will probably be different
$dn="cn=".$object_name.",ou=Groups,dc=addomain,dc=domain,dc=dk";
ldap_add($ldapc,$dn,$addgroup_ad);
John Van Atta ¶
21 years ago
In response to jharnett's question about accounts disabled by default from ldap_add, we have found a solution.
The attribute userAccountControl contains a value that includes whether the account is disabled or enabled. The default for us is 546; when we changed that to 544 the account became enabled. Changing whatever value is in userAccountControl by 2 seems to enable or disable the account.
The following code worked for us to create a new user with an enabled account:
$adduserAD["userAccountControl"] = "544";
We just added this element to the above example's array.
hp at syntomax dot com ¶
20 years ago
Another fun thing: ldap_add() doesn't like arrays with empty members: so
array (
[cn] = "name"
[key] = ""
[anotherkey] = "value"
)
will yield a syntax error!
solve this with a simple peice of code:
foreach ($originalobject as $key => $value){
if ($value != ""){
$object[$key] = $value;
}
}
where $originalobject is the uncecked array and $object is the one without empty members.
akohlsmith at mixdown dot org ¶
25 years ago
ldap_add() will only honour the $entry["attribute"][x]="value" *if there are multiple values for the attribute*. If there is only one attribute value, it *MUST* be entered as $entry["attribute"]="value" or ldap_add() sets the value for the attribute to be "Array" instead of what you put into $entry["attribute"][0].
Here is a little routine I wrote up to do this automatically. when you're parsing the input, just use multi_add():
<?php
function multi_add($attribute, $value)
{
global $entry; // the LDAP entry you're gonna add
if(isset($entry[$attribute]))
if(is_array($entry[$attribute]))
$entry[$attribute][count($entry[$attribute])] = $value;
else
{
$tmp = $entry[$attribute];
unset($entry[$attribute]);
$entry[$attribute][0] = $tmp;
$entry[$attribute][1] = $value;
}
else
$entry[$attribute] = $value;
}
?>
multi_add() checks to see if there is already a value for the attribute. if not, it adds it as $entry[$attribute]=$value. If there is already a value for the attribute, it converts the attribute to an array and adds the multiple values correctly.
How to use it:
<?php
switch($form_data_name)
{
case 'phone': multi_add("telephoneNumber", $form_data_value); break;
case 'fax': multi_add("facsimileTelephoneNumber", $form_data_value); break;
case 'email': multi_add("mail", $form_data_value); break;
...
}
?>
In the system I designed the form has pulldowns with names ctype1, ctype2, ctype3, etc. and the values are "fax, mail, phone...". The actual contact data (phone number, fax, email, etc) is contact1, contact2, contact3, etc. The user pulls down what the contact type is (phone, email) and then enters the data (number, address, etc.)
I use variable variables to fill the entry and skip blanks. Makes for a very clean form entry system. email me if you're interested in it, as I think I'm outgrowing the size of note allowed here. :-)
Baumkuchen.TH ¶
6 years ago
Create Group in Active Directory
<?php
$ds = ldap_connect("IP-server/localhost");
$base_dn = "CN=Group name,OU=Organization Unit,DC=Domain-name,DC=com";//distinguishedName of group
if ($ds) {
// bind with appropriate dn to give update access
ldap_bind($ds, "CN=Administrator,OU=Organization Unit,DC=Domain-name,DC=com", "some-password");
//Add members in group
$member_array = array();
$member_array[0] = "CN=Administrator,OU=Organization Unit,DC=Domain-name,DC=com";
$member_array[1] = "CN=User,OU=Organization Unit,DC=Domain-name,DC=com";
$entry["cn"] = "GroupTest";
$entry["samaccountname"] = "GroupTest";
$entry["objectClass"] = "Group";
$entry["description"] = "Group Test!!";
$entry["member"] = $member_array;
$entry["groupType"] = "2";//GroupType="2" is Distribution / GroupType="1" is Security
ldap_add($ds,$base_dn,$entry);
ldap_close($ds);
} else {
echo "Unable to connect to LDAP server";
}
?>
paul90brown at gmail dot com ¶
11 years ago
I kept getting "Object Class Violation" when I tried adding posixAccount and shadowAccount as an objectclass. It turned out that these object classes had a lot of required fields that I was not adding. You may need to export a working user (if you have phpLDAPadmin) and see exactly what fields they have, then try to copy it exactly in the script. It also doesn't hurt if you make everything an Array the first time around, you can fix those fields later.
chad dot smith at 50marketing dot com ¶
19 years ago
I took spam2004 at turniton dot dk example and made it a bit better. Maybe my setup was a bit different but either way here is how I added a group in Microsoft Windows Server 2003.
<?php
// Connect using ldap_connect
// Bind using ldap_bind
// Set LDAP_OPT_PROTOCOL_VERSION to 3
$member_array = array();
$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
$addgroup_ad["cn"] = "testgroup";
$addgroup_ad["samaccountname"] = "testgroup";
$addgroup_ad["objectClass"] = "Group";
$addgroup_ad["description"] = "Yep just a test.";
$addgroup_ad["member"] = $member_array;
$base_dn = "cn=testgroup,cn=Users,DC=yourdomain,DC=com";
ldap_add($ldap_conn,$base_dn,$addgroup_ad);
// This is it.
?>
Take care and good luck,
Chad R. Smith
amcnabb ¶
20 years ago
Be careful with types. PHP switches automatically between strings and numbers, but LDAP doesn't, and PHP will send whatever is most convenient for PHP, not LDAP, unless you specify a type.
If you inadvertently send a number as a string, you will get an error: "ldap_add(): Add: Invalid syntax in [filename] on line LINENUM."
Observe this example which makes an array to send to LDAP to create a POSIX group. Note that $new_groupid, which is technically a string, must be typecast with (int).
$new_ldap_group['cn'] = $groupname;
$new_ldap_group['objectclass'][0] = 'posixgroup';
$new_ldap_group['objectclass'][1] = 'top';
$new_ldap_group['gidnumber'] = (int) $new_groupid;
ondrej dot duchon at t-systems dot cz ¶
20 years ago
IF you need use national characters (iso 8859-2,8 etc.) it's good way to use ldap_set_option.
It was hard job to find where is a bug ;-))). I hope that helps somebody.
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);