Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Function Reference : LDAP Functions : ldap_add

ldap_add

Add entries to LDAP directory (PHP 4, PHP 5)
bool ldap_add ( resource link_identifier, string dn, array entry )

Example 1110. Complete example with authenticated bind

<?php
$ds
= ldap_connect("localhost");  // assuming the LDAP server is on this host

if ($ds) {
   
// bind with appropriate dn to give update access
   
$r = ldap_bind($ds, "cn=root, o=My Company, c=US", "secret");

   
// prepare data
   
$info["cn"] = "John Jones";
   
$info["sn"] = "Jones";
   
$info["mail"] = "jonj@example.com";
   
$info["objectclass"] = "person";

   
// add data to directory
   
$r = ldap_add($ds, "cn=John Jones, o=My Company, c=US", $info);

   
ldap_close($ds);
} else {
   echo
"Unable to connect to LDAP server";
}
?>

Code Examples / Notes » ldap_add

micattack+phpnet

When getting the dreaded invalid syntax, it helps turning on debugging in ldap. Looking at /var/log/ldap, gets you things like
May  2 13:51:21 tux slapd[12985]: conn=4934 op=1 RESULT tag=105 err=21 text=phpgwtz: value #0 invalid per syntax
May  2 13:52:02 tux slapd[12697]: No objectClass for entry (uid=1, ou=adressen, dc=...


theiderich

When adding/editing attributes for a user, keep in mind that the 'memberof' attribute is a special case.  The memberOf attribute is not an accessible attribute of the user schema. To add someone to a group, you have to add the user in the group, and not the group in the user. You can do this by accessing the group attribute 'member':
<?php
$group_name = "CN=MyGroup,OU=Groups,DC=example,DC=com";
$group_info['member'] = $dn; // User's DN is added to group's 'member' array
ldap_mod_add($connect,$group_name,$group_info);
?>


axel d. france

Try this script if you don't know how to add an user in the AD Win2K.
To have more informations about the attributes, open the adsiedit console in the Support Tools for Win2K.
$adduserAD["cn"][0] =
$adduserAD["instancetype"][0] =
$adduserAD["samaccountname"][0] =
$adduserAD["objectclass"][0] = "top";
$adduserAD["objectclass"][1] = "person";
$adduserAD["objectclass"][2] = "organizationalPerson";
$adduserAD["objectclass"][3] = "user";
$adduserAD["displayname"][0] =
$adduserAD["name"][0] =
$adduserAD["givenname"][0] =
$adduserAD["sn"][0] =
$adduserAD["company"][0] =
$adduserAD["department"][0] =
$adduserAD["title"][0] =
$adduserAD["description"][0] =
$adduserAD["mail"][0] =
$adduserAD["initials"][0] =
$adduserAD["samaccountname"][0] =
$adduserAD["userprincipalname"][0] =
$adduserAD["profilepath"][0] =
$adduserAD["manager"][0] = ***Use DistinguishedName***
if (!($ldap = ldap_connect("localhost"))) {
    die ("Could not connect to LDAP server");
}
if (!($res = @ldap_bind($ldap, "user@pc.com", $password))) {
    die ("Could not bind to the LDAP account");
}
if (!(ldap_add($ldap, "CN=New User,OU=OU Users,DC=pc,DC=com", $adduserAD))){
    echo "There is a problem to create the account
    echo "Please contact your administrator !";
    exit;
}
ldap_unbind($ldap);


spam2004

To add a group in Windows AD..
$object_name="testgroup2";
$members[]="CN=THU,ou=Users,dc=addomain,dc=domain,dc=dk";
$members[]="CN=testgroup2,ou=Groups,dc=addomain,dc=domain,dc=dk";
$addgroup_ad['cn']="$object_name";
$addgroup_ad['objectClass'][0] = "top";
$addgroup_ad['objectClass'][1] ="group";
$addgroup_ad['descripton']=$object_description;
$addgroup_ad['member']=$members;
$addgroup_ad["sAMAccountName"] =$object_name;
// notice param 2 (dn) will probably be different
$dn="cn=".$object_name.",ou=Groups,dc=addomain,dc=domain,dc=dk";
ldap_add($ldapc,$dn,$addgroup_ad);


stian

This solution works for us.
In the form the CN and pwdtxt are randomly generated from strict rules.
This script creates 50-60 users i AD pr.day! and never even had a glitch!
<?php
## From form
$CN = $_POST['CN'];
$givenName = $_POST['givenName'];
$SN = $_POST['SN'];
$mail = $_POST['mail'];
$Phone = $_POST['Phone'];
$pwdtxt = $_POST['pwdtxt'];
$AD_server = "localhost:390"; // Local Stunnel --> http://www.stunnel.org/
$AD_Auth_User = "administrator@student.somwhere.com"; //Administrative user
$AD_Auth_PWD = "duppiduppdupp"; //The password
$dn = 'CN='.$CN.',OU=Brukere,DC=student,DC=somwhere,DC=com';
## Create Unicode password
$newPassword = "\"" . $pwdtxt . "\"";
$len = strlen($newPassword);
$newPassw = "";
for($i=0;$i<$len;$i++) {
$newPassw .= "{$newPassword{$i}}\000";
}
## CONNNECT TO AD
$ds = ldap_connect($AD_server);
if ($ds) {
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); // IMPORTANT
$r = ldap_bind($ds, $AD_Auth_User, $AD_Auth_PWD); //BIND
$ldaprecord['cn'] = $CN;
$ldaprecord['givenName'] = $givenName;
$ldaprecord['sn'] = $SN;
$ldaprecord['objectclass'][0] = "top";
$ldaprecord['objectclass'][1] = "person";
$ldaprecord['objectclass'][1] = "organizationalPerson";
$ldaprecord['objectclass'][2] = "user";
$ldaprecord['mail'] = $mail;
$ldaprecord['telephoneNumber'] = $Phone;
$ldaprecord["unicodepwd"] = $newPassw;
$ldaprecord["sAMAccountName"] = $CN;
$ldaprecord["UserAccountControl"] = "512";
//This is to prevent the user from beeing disabled. -->
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
$r = ldap_add($ds, $dn, $ldaprecord);

} else {
echo "cannot connect to LDAP server at $AD_server.";
}
?>
This is code example creates a user i AD.
We use this on an internal web page to create
temporary users that kan access the wireless network.
We have a .pl script that deletes the users after 24H.


titus dot stahl

Note that you cannot use base64 encoding, you have to use utf-8 encoding for special chars instead.

akohlsmith

ldap_add() will only honour the $entry["attribute"][x]="value" *if there are multiple values for the attribute*.  If there is only one attribute value, it *MUST* be entered as $entry["attribute"]="value" or ldap_add() sets the value for the attribute to be "Array" instead of what you put into $entry["attribute"][0].
Here is a little routine I wrote up to do this automatically.  when you're parsing the input, just use multi_add():
function multi_add($attribute, $value)
{
global $entry;                                // the LDAP entry you're gonna add
if(isset($entry[$attribute]))
  if(is_array($entry[$attribute]))
    $entry[$attribute][count($entry[$attribute])] = $value;
  else
    {
    $tmp = $entry[$attribute];
    unset($entry[$attribute]);
    $entry[$attribute][0] = $tmp;
    $entry[$attribute][1] = $value;
    }
else
  $entry[$attribute] = $value;
}
multi_add() checks to see if there is already a value for the attribute.  if not, it adds it as $entry[$attribute]=$value.  If there is already a value for the attribute, it converts the attribute to an array and adds the multiple values correctly.
How to use it:
switch($form_data_name)
     {
     case 'phone': multi_add("telephoneNumber", $form_data_value); break;
     case 'fax': multi_add("facsimileTelephoneNumber", $form_data_value); break;
     case 'email': multi_add("mail", $form_data_value); break;
     ...
     }
In the system I designed the form has pulldowns with names ctype1, ctype2, ctype3, etc. and the values are "fax, mail, phone...".  The actual contact data (phone number, fax, email, etc) is contact1, contact2, contact3, etc.  The user pulls down what the contact type is (phone, email) and then enters the data (number, address, etc.)
I use variable variables to fill the entry and skip blanks.  Makes for a very clean form entry system.  email me if you're interested in it, as I think I'm outgrowing the size of note allowed here.  :-)


ondrej dot duchon

jharnett at artschool dot com:
For active user in AD u must change "useraccountcontrol" to 512, 512 = enabled, 514 = disabled


willie

In response to:
Note that you cannot use base64 encoding, you have to use utf-8 encoding for special chars instead.
--
I have found that if I have a special character (or a newline) that ldap_add and ldap_modify will automatically do the base64 encoding for you.  For example:
<?php
// assuming binding is done, etc.
$entry['postalAddress'] = "123 East 456 West\nSuite A103";
ldap_modify($ds, $dn, $entry);
?>
The function or server will take the newline and convert it into base64 automatically (same goes for other special characters).
You may be able to verify by using a command-line ldapsearch
ldapsearch -b "dc=example,dc=com" -x "(cn=Example Person)" postalAddress
You'll see that the result comes up as
dn: cn=Example Person,dc=example,dc=com
postalAddress:: MTIzIEVhc3QgNDU2IFdlc3QKU3VpdGUgQTEwMw==
See the double colons after postal address?  That's how LDAP states it's base64 encoded in this case.


john van atta

In response to jharnett's question about accounts disabled by default from ldap_add, we have found a solution.
The attribute userAccountControl contains a value that includes whether the account is disabled or enabled. The default for us is 546; when we changed that to 544 the account became enabled. Changing whatever value is in userAccountControl by 2 seems to enable or disable the account.
The following code worked for us to create a new user with an enabled account:
$adduserAD["userAccountControl"] = "544";
We just added this element to the above example's array.


andrew a.whyte

In reference to the questions about Account Enabling, you can use the table found at Microsoft's Support site to help with these attributes.
You are correct that '2' is the Account Disabled flag, but there are others, which allow you to detect/set password force expiry and the like.
Hope this URL is usefull for that:
http://support.microsoft.com/default.aspx?scid=kb;en-us;305144
Cheers.


ondrej dot duchon

IF you need use national characters (iso 8859-2,8 etc.) it's good way to use  ldap_set_option.
It was hard job to find where is a bug ;-))). I hope that helps somebody.
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);


del

If you need to add an attribute that is binary encoded (eg: userCertificate), then you need to add the ";binary" specification at the end of the field name.
eg:
$info["userCertificate;binary"] = $myBinaryCert;
$ldap_add ...
Del


erwann

I was looking at creating a user in Active Directory, and it kept erroring with "Object Class Violation".
I then realised looking at an existing record that all the attributes had to be arrays:
<?
  $info["cn"]= array("John Jones");
  $info["sn"]=array("Jones");
  $info["mail"]=array("jonj@example.com");
  $info["objectclass"]=array("person");
  // add data to directory
  $r=ldap_add($ds, "cn=John Jones, o=My Company, c=US", $info);
?>


chad dot smith

I took spam2004 at turniton dot dk example and made it a bit better.  Maybe my setup was a bit different but either way here is how I added a group in Microsoft Windows Server 2003.
<?php
// Connect using ldap_connect
// Bind using ldap_bind
// Set LDAP_OPT_PROTOCOL_VERSION to 3
$member_array = array();
$member_array[0] = "cn=user1,cn=Users,dc=yourdomain,dc=com";
$member_array[1] = "cn=administrator,cn=Users,dc=yourdomain,dc=com";
$addgroup_ad["cn"] = "testgroup";
$addgroup_ad["samaccountname"] = "testgroup";
$addgroup_ad["objectClass"] = "Group";
$addgroup_ad["description"] = "Yep just a test.";
$addgroup_ad["member"] = $member_array;
$base_dn = "cn=testgroup,cn=Users,DC=yourdomain,DC=com";
ldap_add($ldap_conn,$base_dn,$addgroup_ad);
// This is it.
?>
Take care and good luck,
Chad R. Smith


damien

Here is how to add a user with a hashed MD5 password to OpenLDAP.  I used this technique to migrate Drupal accounts into OpenLDAP for a single-sign-on solution.  
The trick to it is to tell OpenLDAP the hash type (e.g. {MD5}) before the password, and also to base64 encode the BINARY hashed result.  You cannot just base64 encode what is returned by PHP's md5() or sha() hash functions, because they return a hexadecimal text string.  First you must use pack("H*", $hash_result) to make that a binary string, THEN you can base64 encode it.
Here is complete code for connecting and adding a user with a hashed password.  You don't have to use {MD5}, you could pick a different hash if that is what you have.  The output from one of these hashed passwords will look like this:  {md5}bdwD04RS9xMDGVi1n/H36Q==
Finally some caveats:  This technique will not work if you hashed the password using a salt value (but Drupal does not).  This technique will also certainly not work with active directory, where passwords can definitely only be set over SSL connections and hashing probably works differently.
---- snip ----
$ds = ldap_connect($serverAddress);
if ($ds) {
 ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);  // otherwise PHP defaults to ldap v2 and you will get a Syntax Error!
 $r = ldap_bind($ds, $managerDN, $managerPassword);
 $ldaprecord['cn'] = $newuser_username;
 $ldaprecord['givenName'] = $newuser_firstname;
 $ldaprecord['sn'] = $newuser_surname;
 // put user in objectClass inetOrgPerson so we can set the mail and phone number attributes
 $ldaprecord['objectclass'][0] = "person";
 $ldaprecord['objectclass'][1] = "organizationalPerson";
 $ldaprecord['objectclass'][2] = "inetOrgPerson";
 $ldaprecord['mail'] = $newuser_email_address;
 $ldaprecord['telephoneNumber'] = $newuser_phone_number;
 // and now the tricky part, base64 encode the binary hash result:
 $ldaprecord['userPassword'] = '{MD5}' . base64_encode(pack('H*',$newuser_md5hashed_password));
 // If you have the plain text password instead, you could use:
 // $ldaprecord['userPassword'] = '{MD5}' . base64_encode(pack('H*',md5($newuser_plaintext_password)));
 $r = ldap_add($ds, $base_user_dn, $ldaprecord);
} else { die "cannot connect to LDAP server at $serverAddress."; }


jharnett

For some wacky reason, when the new account is added using ldap_add(), the account is set to "inactive".
And from what I can see there is no modifiable attribute to "re-enable" that user. I suppose by default, if the specific flags are not set the default values are used. Anyone that has a fix for this, please post, I'm pulling out what little hair I have left.


amcnabb

Be careful with types.  PHP switches automatically between strings and numbers, but LDAP doesn't, and PHP will send whatever is most convenient for PHP, not LDAP, unless you specify a type.
If you inadvertently send a number as a string, you will get an error: "ldap_add(): Add: Invalid syntax in [filename] on line LINENUM."
Observe this example which makes an array to send to LDAP to create a POSIX group.  Note that $new_groupid, which is technically a string, must be typecast with (int).
        $new_ldap_group['cn'] = $groupname;
        $new_ldap_group['objectclass'][0] = 'posixgroup';
        $new_ldap_group['objectclass'][1] = 'top';
        $new_ldap_group['gidnumber'] = (int) $new_groupid;


hp

Another fun thing: ldap_add() doesn't like arrays with empty members: so
array (
     [cn] = "name"
     [key] = ""
     [anotherkey] = "value"
)
will yield a syntax error!
solve this with a simple peice of code:
foreach ($originalobject as $key => $value){
       if ($value != ""){
               $object[$key] = $value;
       }
}
where $originalobject is the uncecked array and $object is the one without empty members.


Change Language


Follow Navioo On Twitter
ldap_8859_to_t61
ldap_add
ldap_bind
ldap_close
ldap_compare
ldap_connect
ldap_count_entries
ldap_delete
ldap_dn2ufn
ldap_err2str
ldap_errno
ldap_error
ldap_explode_dn
ldap_first_attribute
ldap_first_entry
ldap_first_reference
ldap_free_result
ldap_get_attributes
ldap_get_dn
ldap_get_entries
ldap_get_option
ldap_get_values_len
ldap_get_values
ldap_list
ldap_mod_add
ldap_mod_del
ldap_mod_replace
ldap_modify
ldap_next_attribute
ldap_next_entry
ldap_next_reference
ldap_parse_reference
ldap_parse_result
ldap_read
ldap_rename
ldap_sasl_bind
ldap_search
ldap_set_option
ldap_set_rebind_proc
ldap_sort
ldap_start_tls
ldap_t61_to_8859
ldap_unbind
eXTReMe Tracker