trying to get the groups of an authenticated user in plain auth

[evifere]

Hi,

i try to retrieve the groups of a user like it is mentionned in the documentation.

   private function authenticateByLDAP($username, $password)
    {
        $connection = Container::getConnection('default');

        $user = LDAP_AD_User::findByOrFail('samaccountname', $username);

        if ($connection->auth()->attempt($user->getDn(), $password)) {
            $token = auth()->login($user);

            echo $user->getName()."\r\n";
            echo get_class($user)."\r\n";

            $groups = $user->groups()->recursive()->get();

            foreach ($groups as $group) {
                echo $group->getName()."\r\n";
            }

        }
        else {
            $message = $connection->getLdapConnection()->getDiagnosticMessage();

            if (strpos($message, '532') !== false) {
                return "Your password has expired.";
            }
        }

        return $token;
    }

i have add this debug trace in Ldap.php

    /**
     * @inheritdoc
     */
    public function search($dn, $filter, array $fields, $onlyAttributes = false, $size = 0, $time = 0, $deref = LDAP_DEREF_NEVER, $serverControls = [])
    {
        echo "search dn: $dn\r\n";
        echo "search filter: $filter\r\n";
        echo "search fields: ".print_r($fields,true)."\r\n";
 
...
}

i have the current output

search dn: OU=Utilisateurs,OU=MAQUETTE,DC=maquette,DC=XXXX,DC=local

search filter: (&(objectclass=\74\6f\70)(objectclass=\70\65\72\73\6f\6e)(objectclass=\6f\72\67\61\6e\69\7a\61\74\69\6f\6e\61\6c\70\65\72\73\6f\6e)(objectclass=\75\73\65\72)(samaccountname=\73\5f\61\64\6d\69\6e)(!(objectclass=\63\6f\6d\70\75\74\65\72)))

search fields: Array
(
    [0] => objectguid
    [1] => *
)


s_admin

App\Ldap\LDAP_AD_User

search dn: OU=Utilisateurs,OU=MAQUETTE,DC=maquette,DC=XXXX,DC=local

search filter: (member=CN\3ds_admin\2cOU\3dUtilisateurs\2cOU\3dMAQUETTE\2cDC\3dmaquette\2cDC\3dXXXX\2cDC\3dlocal)

search fields: Array
(
    [0] => objectguid
    [1] => *
)

The first search dn is corresponding to the findOrFail and the second is corresponding to $user->groups()->recursive()->get();

I don't understand why the second search dn has ou=Utilisateurs and not ou=Groupes since i'm searching for groups and not users.

Maybe something is missing in my tree.

Thanks in advance for your help.

[evifere]

found the solution the base dn was wrong.

i set it to

LDAP_DEFAULT_BASE_DN="OU=MAQUETTE,DC=maquette,DC=XXXXX,DC=local"

[stevebauman]

Thanks for posting your solution @evifere, much appreciated.

The true base DN in your case though would be DC=maquette,DC=XXXXX,DC=local. By including an OU inside the base DN, you're limiting all search queries and operations globally by that OU (unsure if that's your intended use case).

[evifere]

it was not intended .

it still works when i set to

LDAP_DEFAULT_BASE_DN="DC=maquette,DC=synchronic2,DC=local"

thanks for your precision.

[stevebauman]

Happy to help @evifere!