PHP: mail book on the fly from LDAP or Active Directory

Your company is slowly but surely emerging from the crisis, new offices or stores are opening up, jobs are appearing - the number of employees is growing. You, as a system administrator, have already taken care of this in advance and implemented Active Directory or LDAP. Fuh, there are no more problems with accounting.

But in our business, the problems do not take long to wait: yesterday they took five accountants, three salespeople and a storekeeper. Everyone needs corporate email. Well, if you have thought up a sufficient number of moves ahead of time and together with the installation of AD, you have transferred the authorization of the pohtserver to the domain. We spend five minutes on adding uchetok, enter the correct data, give it to your assistants - they will set up mail clients for these employees. But how now to report new addresses to all other employees? Write to everyone a letter? Drop in chat? Too much work for the average and ever lazy sysadmin.



I see two convenient solutions: you can persuade mail clients to run in AD for addresses, and you can show them on the corporate website. Today we will try to provide the corporate website with the necessary information - we will display a list of employees and their email addresses, and follow the data to the precinct directly in Active Directory.

Let's take a closer look at php-ldap

Let's agree that our site is written in php, the web server has direct access to the AD server and the php-ldap extension is installed on it.



According to the manual, we will need a handful of functions. These are ldap_connect , ldap_bind , ldap_search , ldap_get_entries , ldap_unbind . In addition, to work with AD, you will need to forcibly indicate the version of the protocol; ldap_set_option will help us with this.

')

We write the filter

In the catalog we have both groups, and office users, and staff records. Anyway, a lot of excess. We have to write a filter to remove only the cream.



Time. We are building an online e-mail book, so we will only show users, other directory objects will not be useful to us.

(objectCategory=user)

Two. Did I already say that this is a postal book? We will not show the records without the postal addresses entered.

(mail=*)

Three. Employees tend to quit, go on vacation, decree or sick leave. We block such records and, as you guessed it, we will not.

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Four. This is optional, but it is useful to know the record of such a filter. I check users for membership in a specific group (in the example, this is “web_mail_catalog”). Here ou = groups is the organization unit in which such a group lives, and dc = mycompany, dc = crimea, dc = ua is the record of the domain name.

(memberOf=cn=web_mail_catalog,ou=groups,dc=mycompany,dc=crimea,dc=ua)

Let's try to combine everything into one. The recording turned out without spaces, and I broke it into readable pieces.

(&

(mail=*)

(objectCategory=user)

(memberOf=cn=web_mail_catalog,ou=groups,dc=mycompany,dc=crimea,dc=ua)

(!(userAccountControl:1.2.840.113556.1.4.803:=2))

)

Determined with attributes

Now take a look at the attribute catalog (for example, like this ). Let's estimate which fields will be useful to us. I think it will be enough to show the name, post address, position, department and company name. According to the table, these are the fields cn , mail , title , department and company .

We will pass them a bit later as an array as one of the arguments to the ldap_search function.

Let's start the code

No, I think, let's turn on Indian music first. For motivation. PHP is not my thing, so I will not get involved in OOP and MVC. Those interested will rewrite the code as they please.



We denote a bunch of variables that we will use in the future.





Yes, I almost forgot. You have to create a separate account without permissions, under which php-ldap will knock on AD. In addition, you can use prefixes in $ srv - ldap: // or ldaps: // for normal and encrypted communication. As I recall, for ldaps AD you need an ssl certificate.



A step further. Filter and attribute set - in the same beautiful variables.





Now it would be nice to connect to AD and perform the desired search.





Compose and add a little html binding. It should be something like this.







The moment of truth has come: let's see what we have done.







On this, I think you can complete the article. Unfortunately, for clarity, it was necessary to overtake the code in the image, in some places not everything fit, so know - in place of the "\" symbol in the code - there was a forced line break, which should not be. Of course, there may be blots - the result of my carelessness, write about it in the comments, I will fix it.

Entirely working version of the code I post here , use it as you see fit :)

For this, allow me to bow out.