ldap filter for distinguishedName

I am successfully querying our Active Directory for a user with the following code:

$filter = (&(objectCategory=person)(samaccountname=someusername));
$fields = array("samaccountname","mail","manager","department","displayname","objectGUID");

$user = ldap_search($ldapconnection, $baseDn, $filter, $fields);

The resulting array gives this value for the manager attribute:

CN=McBossy, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com

This looks like a distinguishedName to me. But when I try to query for the manager’s record,

$filter = (&(objectCategory=person)(dn='CN=McBossy, Boss,OU=Users,OU=CentralOffice,DC=ds,DC=example,DC=com'));

$manager = ldap_search($ldapconnection, $baseDn, $filter, $fields);

the query fails with PHP Warning: ldap_search(): Search: Bad search filter

I’ve tried a number of possibilities including different quotation, more parentheses, using distinguishedName rather than dn, etc.

What am I doing wrong and what is the right way to get the manager’s record?


dn is not an attribute. Only attribute types, OIDs, and names can be used in filters.

When you get the manager attribute, to get the attributes for the DN that is the manager, use the value of the manager attribute as the base object in a search request. Set the scope of the search to BASE, the filter to either (&) or (objectClass=*) and request the attributes required. Then transmit the search request to the server and interpret the response.

Leave a Reply

Your email address will not be published. Required fields are marked *