plexcel

Communications Software

Plexcel for PHP - Active Directory PHP Integration

plexcel_new
plexcel_status
plexcel_find_authorities_by_domain
plexcel_get_authority
plexcel_get_domain
plexcel_log
plexcel_preamble
plexcel_authenticate
plexcel_sso
plexcel_logon
plexcel_logoff
plexcel_accept_token
plexcel_is_member_of
plexcel_set_password
plexcel_change_password
plexcel_gen_service_keytab
plexcel_search_objects
plexcel_get_account
plexcel_add_object
plexcel_modify_object
plexcel_delete_object
plexcel_set_attrdefs
plexcel_get_attrdefs
plexcel_set_conv_attrdefs

plexcel_new

Printer Friendly Format

Synopsis

resource plexcel_new(string $bindstr, array $options)

Description

The plexcel_new function creates a new Plexcel context for use with other Plexcel functions. A Plexcel context resource tracks binding state and context specific options with respect to authentication, LDAP routines and other Plexcel features.

The $bindstr parameter specifies a target domain controller and optionally default search parameters. The value may be one of the following.

$bindstr Value	Description
`NULL` or empty string	A value of `NULL` or an empty string indicates that the Plexcel context should be bound to a default server located using DNS SRV queries.
domain name	A domain name indicates that the Plexcel context should be bound to a default server in the specified domain located using DNS SRV queries.
hostname	A hostname indicates that the Plexcel context should be bound to the specific server provided that it is validated using DNS SRV queries.
LDAP URL	An LDAP URL can specify the domain name or specific hostname and default search parameters. See the Plexcel LDAP URLs section below.

Note: The domain name or domain of a hostname or server component of a Plexcel LDAP URL is resolved by querying DNS using SRV queries for _ldap._tcp.dc._msdcs.<domain name>, _kerberos._tcp.dc._msdcs.<domain name> and _kerberos._udp.dc._msdcs.<domain name> where <domain name> is either the name supplied, successively shorter domain name suffixes of the name supplied or, if no name was supplied, the realm of the HTTP service principal in the local credential file (the realm of the first entry in the plexcel.keytab file).

The $options parameter of the plexcel_new function is an array that may be NULL or an empty array to indicate that no options are desired or any of the following options.

Array Key	Value Description
`putenv_krb5ccname`	If set to `TRUE`, the Plexcel authentication functions will save the users delegated credential (if supplied) into a file in the Plexcel temporary directory and set the `KRB5CCNAME` environment variable to the said file's path. This allows non-Plexcel clients that support Kerberos such as ldap_sasl_bind , pgsql_connect and curl_open to initiate authentication with other servers using the client's delegated credential.
`signing`	If set to `TRUE`, all LDAP communication will use signing. LDAP signing may also be turned on globally using the `plexcel.ldap.signing` INI option. If LDAP signing is already turned on using the `plexcel.ldap.signing` INI option, setting this option has no effect (e.g. setting it to `FALSE` will not turn off signing). If your directory server is set to Require signing under Domain Controller Security Policy > Local Policies > Security Options > Domain controller: LDAP server signing requirements , signing must be used or an `ldap_sasl_bind_s: Strong(er) authentication required` error will occur.
`encryption`	If set to `true`, all LDAP communication will use encryption. LDAP encryption may also be turned on globally using the `plexcel.ldap.encryption` INI option. If LDAP encryption is already turned on using the `plexcel.ldap.encryption` INI option, setting this option has no effect (e.g. setting it to `FALSE` will not turn off encryption).

Plexcel LDAP URLs

The plexcel_new $bindstr parameter may be in the form of a Plexcel LDAP URL. The syntax of these RFC 2255 style URLs is roughly as follows:

ldap://[<server>[:port]]/[<base>][?<attrs>[?<scope>[?<filter>]]]

The server component of a Plexcel LDAP URL can be an empty string, a domain name or a hostname and is resolved using DNS SRV queries.

The base component of a Plexcel LDAP URL can be an empty string to indicate the RootDSE, a full DN or one of the following alternative base component strings.

Alt. Base Component String	Description
`RootDSE`	Bind the RootDSE. Same as an empty string.
`DefaultNamingContext`	Bind the default naming context as defined in the RootDSE.
`Users`	Use a WKGUID bind on the Users GUID A9D1CA15768811D1ADED00C04FD8D5CD.
`Computers`	Use a WKGUID bind on the Computers GUID AA312825768811D1ADED00C04FD8D5CD.
`System`	Use a WKGUID bind on the System GUID AB1D30F3768811D1ADED00C04FD8D5CD.
`Domain Controllers`	Use a WKGUID bind on the Domain Controllers GUID A361B2FFFFD211D1AA4B00C04FD7D83A.
`Infrastructure`	Use a WKGUID bind on the Infrastructure GUID 2FBAC1870ADE11D297C400C04FD8D5CD.
`Deleted Objects`	Use a WKGUID bind on the Deleted Objects GUID 18E2EA80684F11D2B9AA00C04F79F805.
`Lost and Found`	Use a WKGUID bind on the Lost and Found GUID AB8153B7768811D1ADED00C04FD8D5CD.

Plexcel LDAP URL Examples

ldap:/// - The default directory server will be located using DNS SRV queries.

ldap:///RootDSE - Same as ' ldap:///'

ldap://example.com/ - The default directory server in the example.com domain will be located using DNS SRV queries.

ldap://ad1.example.com/ - The specified server is used provided that DNS SRV queries can verify that it is listed in the example.com domain.

ldap:///CN=Hans Müller,DC=Users,DC=example,DC=com - This binds a specific user object on the local directory server.

ldap:///CN=Users,DC=example,DC=com - This specifies the Users container as the base DN.

ldap:///Users - This also specifies the Users container but it uses WKGUID binding with the Users GUID as the base DN.

ldap:///CN=Hans Müller,DC=Users,DC=example,DC=com?cn,telephoneNumber,homePhone - A search with no explicit parameters using this binding would select the cn and some phone oriented information for the specified user from the local directory server.

ldap:///Users??sub?(objectClass=user) - A search with no explicit parameters using this binding would select all attributes of all users (but not groups) in the default Users container on the local directory server.

ldap://ad1.example.com/Users??sub?(lastLogon>=128175527431758394) - This would return all users that have logged onto the specified AD server after March 5th, 2007.

Note: SID binding does not work with Windows 2000.

Returns

The plexcel_new function returns the new Plexcel context resource or FALSE to indicate an error has occurred in which case plexcel_status should be queried (with a NULL context).

Example

The following PHP fragment illustrates how to use a Plexcel LDAP URL with plexcel_new to simplify searching the directory.

<?php
// Bind the defaultNamingContext on the local directory server

        $px = plexcel_new('ldap:///DefaultNamingContext', NULL);
      
if ($px == FALSE)
    die('<pre>' . plexcel_status(NULL) . '</pre>');
} else {
    $params = array( // no need to specify base
        'scope' => 'sub',
        'filter' => '(&(objectClass=user)(logonCount=0))'
    );
    $objs = plexcel_search_objects($px, $params);
    ...

Using DefaultNamingContext in an LDAP URL with plexcel_new