Article

How to read Operational Attributes with PHP and LDAP.

By default operational attributes (most notably object creation time, creator etc) are not exposed by LDAP. TID 1007418 How to query operational attributes with LDAP http://www.novell.com/support/php/search.do?cmd=displayKC&externalId=10070418 covers the fundamentals. This note demonstrates how to code in PHP using LDAP Calls.

I've got a demonstration script downloadable at http://www.champwilde.f9.co.uk/idmphp/readopatt/index.html, but this note covers the fundamental points.

An LDAP query of eDirectory (or any other directory) typically starts with ldap_connect and ldap_bind commands to set up the server connection, then an ldap_search command to control what is being searched for, and finally ldap entry and ldap attribute commands to extract the output. In order to return the operational attributes its necessary to add some options to the ldap_search command.

A simple LDAP search command in php will look like this:

$sr=@ldap_search($ds, $ldap_root, $ldap_sr );  

You will find that this returns all the standard attributes, and none of the operational attributes. As well as the lack of operational attributes, you are also searching and returning more data than you really need, so its not good practice anyway. What you should do is to specify each attribute that you wish to search for in an array in the LDAP call, and you must do this if you need to return the Operational Attributes. Thus the search command should look something like this:

$sr=@ldap_search($ds, $ldap_root, $ldap_sr, array ("givenName", "sn", "createTimestamp") ); 

In this command the search will return Given Name, Surname and the Object creation timestamp.

There are, of course, other options for ldap_search: see http://www.php.net/manual/en/function.ldap-search.php for full documentation.