ldap_search objectGUID in AD

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Hi all,
this is _really_ bugging me, and the Google God has failed me:

Doing an ldap_search of a Wink2k Active Directory trying to get the
objectGUID.  This is a unique id within AD and is meant to be a 128bit
octal string. (16 bytes).

Works 99% of the time, but the occasional objectGUID comes up short.

$ld_filter = '(sAMAccountName=*)';
$ld_data = array('objectGUID', 'sAMAccountName');
$ld_sr = ldap_search($Connect, $ldap_base_dn, $ld_filter);
$ld_info = ldap_get_entries($Connect, $ld_sr);
for($i=0; $i < $ld_info['count']; $i++) {
   $o = $ld_info[$i]['objectguid'][0];
   $len = strlen($o);
   print("len: $len <br>");

MOST of the entries are the correct 16 bytes, a FEW are not.  It's like
the occasional objectGUID is barfing php somehow and not getting placed
into the holder variable, or something. Only getting the first x bytes.

The correct entries I can convert to an escaped hex string and then
search AD correctly. The incorrect ones, can't be used.

Doing an ldap_search from the command line generates a base64 encoded
string, which I can decode, convert to hex and search properly, so it's
not the AD data.

PHP Version 4.3.2
Linux tnz014 2.4.18-14 #1 Wed Sep 4 11:57:57 EDT 2002 i586
ldap.c,v 2003/04/30 21:54:02 iliaa Exp $

Any ideas????

Alan Way

Re: ldap_search objectGUID in AD

Sacs wrote:
Quoted text here. Click to load it

Solved the bugger.  ldap_get_entries() handles the data as strings,
which is not good for binary data containing nulls (like the AD
objectGUID may do).

So, I need to use ldap_get_values_len() to extract the binary data :-)
e.g. to get the objectGUID of an organisation unit:

function getGUIDbyOU ($ou) {
    global $ldap_base_dn, $ldap_server, $ldap_bind_d, $ldap_bind_user;

    $Connect = ldap_connect($ldap_server) ;
    $Bind =  ldap_bind($Connect, $ldap_bin_dn, $ldap_bind_user);

    $ld_filter = '(ou=' . $ou . ')';
    $ld_data = array('objectGUID');

    $ld_sr = ldap_search($Connect, $ldap_base_dn, $ld_filter, $ld_data);

    if(ldap_count_entries($Connect, $ld_sr) > 0) {
      $entry = ldap_first_entry($Connect, $ld_sr);
      $guid  = ldap_get_values_len($Connect, $entry, 'objectguid');
      return $guid[0];
    } else {
      return NULL;

Thanks to anyone who bothered reading the parent :-)


Site Timeline