> On Thu, January 25, 2007 3:07 pm, Bing Du wrote:
>> Sorry if the top is not closely PHP related. But I need to accomplish
>> it
>> using PHP.
>>
>> I can query the attribute 'memberOf' of a user from the active
>> directory
>> server with no problem. The challenge I'm facing now is how to obtain
>> all
>> the groups a user is member of. In many cases, a user can be in many
>> groups which could be nested. Say, user is a member of group B which
>> is a
>> member of group A. So user should be member of group A implicitly.
>> But
>> in active directory, user's account only has
>>
>> memberOf: CN=Group_B,OU=security
>> groups,OU=Users,OU=Coll,DC=some,DC=edu
>>
>> I can then check if Group_B's LDAP entry has any 'memberOf' attribute,
>> so
>> on and so on. If user's LDAP entry has multiple 'memberOf'
>> attributes, I
>> have to check each one to see if each group has any parent groups.
>> Anybody ever had to deal with such a kind of issue and would like to
>> shed
>> some light (better with some code samples) how it should be done
>> effectively? Any ideas would be greatly appreciated.
>
> I don't know hardly anything about LDAP, and even less about Active
> Directory, but if you can't find a built-in function to do this and
> have to write your own, it should end up looking something like:
>
> function groups($user, $groups = null){
> //very first time, initialize $groups to empty array:
> if (is_null($groups)) $groups = array();
>
> //Find all the groups that his user/group is a memberOf:
> $member_of = //do your LDAP here to find the memberOf:
> //ex: "CN=Group_B,OU=security groups,OU=Users,OU=Coll,DC=some,DC=edu"
>
> //Look at each group in turn
> $member_of = explode(',', $member_of);
> foreach($member_of as $group){
> //Skip any groups we have already seen:
> if (isset($groups[$group])) continue;
>
> //Add it to the list of groups:
> $groups[$group] = $group;
>
> //check for super-groups of this group:
> $groups = array_merge($groups, groups($group, $groups));
> }
> }
Excellent! Thanks much for the quick response. Appreciate it. I see the
general logic is right.
Bing
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
