Skip to content

Latest commit

 

History

History
178 lines (134 loc) · 4.16 KB

Common-LDAP-Queries.md

File metadata and controls

178 lines (134 loc) · 4.16 KB
Raw

Common LDAP Queries

These LDAP queries all assume you are using an LdapManager instance (represented by $ldap) built from a configuration described in the docs. This leverages the LdapQueryBuilder class which makes many of these queries very easy.

All Users, OUs, Groups, or Computers

# All users
$users = $ldap->buildLdapQuery()->fromUsers()->getLdapQuery()->getResult();

# All groups
$groups = $ldap->buildLdapQuery()->fromGroups()->getLdapQuery()->getResult();

# All OUs
$ous = $ldap->buildLdapQuery()->fromOUs()->getLdapQuery()->getResult();

# All computers
$computers = $ldap->buildLdapQuery()->fromComputers()->getLdapQuery()->getResult();

# All contacts
$contacts = $ldap->buildLdapQuery()->fromContacts()->getLdapQuery()->getResult();

# All deleted objects (AD only)
$deleted = $ldap->buildLdapQuery()->fromDeleted()->getLdapQuery()->getResult();

Users Created After a Certain Date

$query = $ldap->buildLdapQuery();

// The 'gte' filter creates a 'greater-than-or-equal-to' comparison
$users = $query->fromUsers()
    ->where($query->filter()->gte('created', new \DateTime('2004-06-20')))
    ->getLdapQuery()
    ->getResult();

Groups That Start With a Certain String

$query = $ldap->buildLdapQuery();

$groups = $query->fromGroups()
    ->where($query->filter()->startsWith('name', 'Admin'))
    ->getLdapQuery()
    ->getResult();

User Accounts With a Description Containing a Certain String

$query = $ldap->buildLdapQuery();

$users = $query->fromUsers()
    ->where($query->filter()->contains('description', 'service'))
    ->getLdapQuery()
    ->getResult();

Active Directory Specific Queries

The following are queries that are specific to Active Directory, as they use specific attributes or methods that are only supported there.

All Groups a User Belongs to Recursively

$query = $ldap->buildLdapQuery();

// The $username can be a typical AD username, DN, GUID, or SID.
$groups = $query->fromGroups()
    ->where($query->filter()->hasMemberRecursively($username))
    ->getLdapQuery()
    ->getResult();

All Users that Belong to a Group Recursively

$query = $ldap->buildLdapQuery();

// The $group can be a typical AD group name, DN, GUID, or SID.
$users = $query->fromUsers()
    ->where($query->filter()->isRecursivelyMemberOf($group))
    ->getLdapQuery()
    ->getResult();

All Disabled User Accounts

$users = $ldap->buildLdapQuery()
    ->fromUsers()
    ->where(['disabled' => true])
    ->getLdapQuery()
    ->getResult();

All Locked User Accounts

$users = $ldap->buildLdapQuery()
    ->fromUsers()
    ->where(['locked' => true])
    ->getLdapQuery()
    ->getResult();

All Active User Accounts with Exchange Mailboxes

$query = $ldap->buildLdapQuery();

$users = $query->fromUsers()
    ->where(['enabled' => true])
    ->andWhere($query->filter()->mailEnabled())
    ->getLdapQuery()
    ->getResult();

All Active User Accounts With Passwords That Must Change on Next Login

$users = $ldap->buildLdapQuery()
    ->fromUsers()
    ->where(['enabled' => true, 'passwordMustChange' => true])
    ->getLdapQuery()
    ->getResult();

All Security Enabled Groups With No Members

$query = $ldap->buildLdapQuery();

$groups = $query->fromGroups()
    ->where(['typeSecurity' => true])
    ->andWhere($query->filter()->notPresent('members'))
    ->getLdapQuery()
    ->getResult();

User Accounts With Passwords That Do Not Expire

$users = $ldap->buildLdapQuery()
    ->fromUsers()
    ->where(['passwordNeverExpires' => true])
    ->getLdapQuery()
    ->getResult();

User Accounts That Have Bad Password Attempts

$query = $ldap->buildLdapQuery();

$users = $query->fromUsers()
    ->where($query->filter()->gte('badPasswordCount', 1))
    ->getLdapQuery()
    ->getResult();

User Accounts With Hidden Mailboxes Sorted By Last Name

$users = $ldap->buildLdapQuery()
    ->fromUsers()
    ->where(['exchangeHideFromGAL' => true])
    ->orderBy('lastName')
    ->getLdapQuery()
    ->getResult();