Overview

The below PHP script is an example of how to query an Active Directory domain. In this example we will be using LDAP and retrieve a list of computer accounts in the domain.

If instead of computer accounts you are looking to retrieve information on user accounts in the domain, then take a look at this post

Web Server Requirements

In the case of this example I am using Apache. To use this script your PHP web server will need the LDAP module installed. You can verify the installation by creating a phpinfo file.

phpinfo.php

<?php
   phpinfo();
?>

When browsing to your phpinfo page you should see an ldap section;

PHPInfo LDAP Section

If you don’t see an ldap section in your phpinfo results you will need to install the php ldap package. For example on Ubuntu / Debian;

# Install php5-ldap:
sudo apt-get install php-ldap

# Reboot apache
service apache2 restart

Variables to change

You will need to change these variables in the script.

Line 4 - $ldap_password = 'AD_Password';
Line 5 - $ldap_username = 'AD_Username@domain.tld';
Line 6 - $ldap_connection = ldap_connect("domain.tld");

Line 20 - $ldap_base_dn = 'DC=domain,DC=tld,DC=tld'; 

The PHP Script

<?php

//LDAP Bind paramters, need to be a normal AD User account.
$ldap_password = 'AD_Password';
$ldap_username = 'AD_Username@domain.tld';
$ldap_connection = ldap_connect("domain.tld");

if (FALSE === $ldap_connection) {
    // Uh-oh, something is wrong...
    echo 'Unable to connect to the ldap server';
}

// We have to set this option for the version of Active Directory we are using.
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3) or die('Unable to set LDAP protocol version');
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0); // We need this for doing an LDAP search.

if (TRUE === ldap_bind($ldap_connection, $ldap_username, $ldap_password)) {

    //Your domains DN to query
    $ldap_base_dn = 'DC=domain,DC=tld,DC=tld';

    //Get standard users and contacts
    $search_filter = '(|(objectCategory=Computer))';

    //Connect to LDAP
    $result = ldap_search($ldap_connection, $ldap_base_dn, $search_filter);

    if (FALSE !== $result) {
        $entries = ldap_get_entries($ldap_connection, $result);

        // Uncomment the below if you want to write all entries to debug somethingthing 
        //var_dump($entries);

        //Create a table to display the output 
        echo '<h2>AD Computer Results</h2></br>';
        echo '<table border = "1"><tr bgcolor="#cccccc"><td>Name</td><td>Descrption</td></tr>';

        //For each account returned by the search
        for ($x = 0; $x < $entries['count']; $x++) {

            //
            //Retrieve values from Active Directory
            //

            //Common Name
            $LDAP_CN = "";

            if (!empty($entries[$x]['cn'][0])) {
                $LDAP_CN = $entries[$x]['cn'][0];
                if ($LDAP_CN == "NULL") {
                    $LDAP_CN = "";
                }
            }

            //Description
            $LDAP_Description = "";

            if (!empty($entries[$x]['description'][0])) {
                $LDAP_Description = $entries[$x]['description'][0];
                if ($LDAP_Description == "NULL") {
                    $LDAP_Description = "";
                }
            }

            echo "<tr><td><strong>" . $LDAP_CN . "</strong></td><td>" . $LDAP_Description . "</td></tr>";
        } //END for loop
    } //END FALSE !== $result

    ldap_unbind($ldap_connection); // Clean up after ourselves.
    echo ("</table>"); //close the table

} //END ldap_bind