PHP: Mailbox on the fly from LDAP or Active Directory

    active directory logoYour company is slowly but surely emerging from the crisis, new offices or stores are opening, jobs are appearing - the number of employees is growing. You, as a system administrator, have already taken care of this in advance and implemented Active Directory or LDAP. Phew, there are no more problems with the accounts.
    But in our business, the problems are not long in coming: yesterday we took five accountants, three sellers and a storekeeper. Everyone needs corporate email. It’s great if you thought over a sufficient number of moves ahead and, together with the installation of AD, transferred the authorization of the mail server to the domain. We spend five minutes adding accounts, enter the correct data, and give it to your helpers - they will set up mail clients for these employees. But how now to report new addresses to all other employees? Write a letter to everyone? Throw in the chat? Too much work for the average and ever-lazy system administrator.

    I see two convenient solutions: you can persuade mail clients to run in AD for addresses, or you can display them on a corporate website. Today we will try to provide the corporate website with the necessary information - we will display a list of employees and their mailing addresses, and for the data go to the local police officer directly in Active Directory.

    Take a closer look at php-ldap


    Let's agree that our site is written in php, the web server has direct access to the AD server and the php-ldap extension is installed on it.

    According to the manual, we need a handful of functions. These are ldap_connect , ldap_bind , ldap_search , ldap_get_entries , ldap_unbind . In addition, to work with AD, you will need to forcibly specify the protocol version, ldap_set_option will help us with this .

    Write filter


    In the catalog we have both groups, and office users, and employee records. Anyway, a lot of superfluous. We have to write a filter to remove only the cream.

    Time. We are building an online mailing book, so we will only show users, other catalog objects will not be useful to us.
    (objectCategory=user)

    Two. Have I already said that this is a mailing book? We will not show accounts without inscribed mail addresses.
    (mail=*)

    Three. Employees tend to quit, go on vacation, maternity leave or sick leave. We block such accounts and show, you guessed it, we will not.
    (!(userAccountControl:1.2.840.113556.1.4.803:=2))

    Four. This is optional, but it is useful to know the record of such a filter. I check users for membership in a specific group (in the example, this is “web_mail_catalog”). Here ou = groups is the organization unit in which such a group resides, and dc = mycompany, dc = crimea, dc = ua is the domain name record.
    (memberOf=cn=web_mail_catalog,ou=groups,dc=mycompany,dc=crimea,dc=ua)

    Let's try to combine everything into one. The record turned out without spaces, and I broke it into readable pieces.
    (&
    (mail=*)
    (objectCategory=user)
    (memberOf=cn=web_mail_catalog,ou=groups,dc=mycompany,dc=crimea,dc=ua)
    (!(userAccountControl:1.2.840.113556.1.4.803:=2))
    )

    Defined with attributes


    Now let's look at the attribute catalog (for example, this one ). Let's estimate which fields are useful to us. I think it will be enough to show the name, postal address, position, department and company name. According to the table, these are the fields cn , mail , title , department and company .
    We will pass them a bit later as an array as one of the arguments to the ldap_search function .

    Let's start coding


    No, let's turn on Indian music first. For motivation. PHP is not my hobby, so I will not get involved with OOP and MVC. Those who wish will rewrite the code as they please.

    We denote the pack of variables that we will use in the future.
    code1fr

    Yes, I almost forgot. You should create the separate uchetka without the rights under which php-ldap will knock in AD. In addition, you can use the prefixes in $ srv - ldap: // or ldaps: // for normal and encrypted communication. As far as I remember, for ldaps AD you will need an ssl certificate.

    We step further. A filter and a set of attributes into equally beautiful variables.
    code2fr

    Now it would be nice to connect to AD and perform the desired search.
    code3fr

    We compose and add some html binding. It should be something like this.

    code4fr

    The moment of truth has come: let's see what happened.

    code5fr

    On this, I think, it is possible to complete the article. Unfortunately, for clarity, I had to overtake the code into images, not everything fit in places, so you should know - in place of the "\" character in the code - there was a forced line break, which should not be. Of course, blots can occur - the result of my carelessness, write about it in the comments, I will fix it.
    I put the whole working version of the code here , use it as you see fit :)
    For this, allow me to leave.

    Also popular now: