Is there a way with the PHP LDAP extension to retrieve AD attributes/properties that are not returned by default?
Specifically, I am trying to retrieve the lockedOut property. This one is not retrieved by default when you use ldap_get_attributes. In PowerShell, you have to specify the property in order to retrieve it:
Get-AdUser -Identity foo -Properties LockedOut | Select LockedOut
But trying to specify the attribute the same way with PHP LDAP does not seem to work.
$result = ldap_search($conn, $dn, "cn=foo", ["lockedOut"]);
if ($result === false) {
// Handling error...
}
$count = ldap_count_entries($conn, $result);
if ($count !== 1) {
// Handling error...
}
$entry = ldap_first_entry($conn, $result);
// This array does not contain the expected "lockedOut" attribute
$attr = ldap_get_attributes($conn, $entry);
// No array returned but false (error)
$value = ldap_get_values($conn, $entry, "lockedOut")
I feel like those non default properties are not retrievable with PHP LDAP (property != attribute).
There is a default attribute that does the job as a workaround: lockoutTime.
It seems to work this way:
lockoutTime = <not set>lockoutTime = 0lockoutTime = 1+The workaround code:
$result = ldap_search($conn, $dn, "cn=foo", ["lockoutTime"]);
if ($result === false) {
// Handling error...
}
$count = ldap_count_entries($conn, $result);
if ($count !== 1) {
// Handling error...
}
$entry = ldap_first_entry($conn, $result);
$attr = ldap_get_attributes($conn, $entry);
$rawLockoutTime = $attr["lockouttime"] ?? null;
$isLockedOut = $rawLockoutTime !== null && $rawLockoutTime[0] !== "0";
A reference about it on a post for the Python LDAP.