Viewed   331 times

I've set up a system to display everyone's name, email address and phone number from Active Directory however I can't get the 'thumbailPhoto' to work.

I have searched around on the internet but haven't been able to find if this is possible or at the very least what format is returned from Active Directory.

I am currently using the adldap class so if it is possible to use this that would be ideal.

Thanks in advance.


I can retrieve the data in the thumbnailPhoto attribute and if I dump them straight to the browser I get something like this:

ÿØÿàJFIFððÿá PExifII*bh~†(2Ži‡¢XCanonCanon EOS 5D Mark IIIðð2013:05:19 17:35:31š‚à‚è"ˆ'ˆ 0230ð’ ’ ’ (’0’8’ ’ ’@‘’11’’11 0100 ÿÿ¢H¢P¢¤¤¤¤ 2013:04:17 11:44:522013:04:17 11:44:52H¹o@B¬ † è»dnäWµ˜:̦®(¶’ HHÿØÿàJFIFÿÛC $.' ",#(7),01444'9=82<.342ÿÛC 2!!22222222222222222222222222222222222222222222222222ÿÀ–d"ÿÄ ÿĵ}!1AQa"q2‘¡#B±ÁRÑð$3br‚ %&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyzƒ„…†‡ˆ‰Š’“”•–—˜™š¢£¤¥¦§¨©ª²³´µ¶·¸¹ºÂÃÄÅÆÇÈÉÊÒÓÔÕÖ×ØÙÚáâãäåæçèéêñòóôõö÷øùúÿÄ ÿĵw!1AQaq"2B‘¡±Á #3RðbrÑ $4á%ñ&'()

That isn't all of it but it is a very long string, I am presuming is some sort of binary string?



This seems to be a JPEG-File, so you should be able to send that data together with the appropriate mime-type to the browser. It should be possible to output that image with something like:

<img src="data:image/jpeg;base64,<?php echo base64_encode($imageString); ?>"/>

But it might also be possible to save files of any image format into that thumbnailPhoto attribute. Therefore, I would put the content into a temporary file that will then be served directly from the server. You will need to pass the file through finfo to get the correct mime-type.

So you might do something like this:

$tempFile = tempnam(sys_get_temp_dir(), 'image');
file_put_contents($tempFile, $imageString);
$finfo = new finfo(FILEINFO_MIME_TYPE);
$mime  = explode(';', $finfo->file($tempFile));
echo '<img src="data:' . $mime[0] . ';base64,' . base64_encode($imageString) . '"/>';
Thursday, August 4, 2022

Try this:

// verify user and password
if($bind = @ldap_bind($ldap, $user . $ldap_usr_dom, $password)) {
    // valid
    // check presence in groups
    $filter = "(sAMAccountName=" . $user . ")";
    $attr = array("memberof","givenname");
    $result = ldap_search($ldap, $ldap_dn, $filter, $attr) or exit("Unable to search LDAP server");
    $entries = ldap_get_entries($ldap, $result);
    $givenname = $entries[0]['givenname'][0];

    // check groups
    foreach($entries[0]['memberof'] as $grps) {
        // is manager, break loop
        if (strpos($grps, $ldap_manager_group)) { $access = 2; break; }

        // is user
        if (strpos($grps, $ldap_user_group)) $access = 1;

    if ($access != 0) {
        // establish session variables
        $_SESSION['user'] = $user;
        $_SESSION['access'] = $access;
        $_SESSION['givenname'] = $givenname;
        return true;
    } else {
        // user has no rights
        return false;

} else {
    // invalid name or password
    return false;
Wednesday, November 9, 2022

Solved my own problem and thought I'd put the answer here so that others might find it. The issue was using the ldap_search() function. The answer was to use the ldap_read() function instead of ldap_search(). The difference is the scope of the request. The search function uses a scope of "sub" (i.e., subtree) while the read function uses "base." The tokenGroups information can only be found when using a scope of "base" so using the correct PHP function was the key.

As I mentioned above, I was working from someone else code in perl to create my solution and the perl script used a function named "search" to do it's LDAP requests which lead me down wrong path.

Thanks to those who took a peek at the question!


As per the requests in the comments, here's the basics of the solution in code. I'm extracting from an object that I use so this might not be 100% but it'll be close. Also, variables not declared in this snipped (e.g. $server, $user, $password) are for you to figure out; I won't know your AD credentials anyway!

$ldap = ldap_connect($server);
ldap_bind($ldap, $user, $password);
$tokengroups = ldap_read($ldap, $dn, "CN=*", array("tokengroups")));
$tokengroups = ldap_get_entries($ldap, $tokengroups);

At this point, $tokengroups is our results as an array. it should have count index as well as some other information. To extract the actual groups, you'll need to do something like this:

$groups = array();
if($tokengroups["count"] > 0) {
    $groups = $tokengroups[0]["tokengroups"];

    // if you want the SID's for your groups, you can stop here.
    // if you want to decode the SID's then you can do something like this.
    // the sid_decode() here:

    foreach($groups as $i => &$sid) {
        $sid = sid_decode($sid);

        $sid_dn = ldap_read($ldap, "<SID=$sid>", "CN=*", array("dn"));
        if($sid_dn !== false) {
            $group = ldap_get_entries($ldap, $sid_dn);
            $group = $group["count"] == 1 ? $group[0]["dn"] : NULL;
            $groups[$i] = $group;

That's the basics. There's one caveat: you'll probably need to work with the individual or individuals who manage AD accounts at your organization. The first time I tried to get this running (a few years ago, so my memory is somewhat fuzzy) the account that I was given did not have the appropriate authorization to access the token groups information. I'm sure there are other ways to do this, but because I was porting someone else's code for this specific solution, this was how I did it.

Wednesday, November 30, 2022

Query the AD like this:

$dn       = "DC=mydomain,DC=local";
$group_DN = "CN=Intra,OU=Common Security Groups,DC=mydomain,DC=local";
$filter   = "(&(objectCategory=user)(memberOf=$group_DN))";
// ...
$sr       = ldap_search($ad, $dn, $filter);

Have a look at the MSDN article about the LDAP search filter syntax for info on more complex filters.

Be sure to pay attention to the Special Characters section down on that page. A correct solution must pass $group_DN through an escaping mechanism before using it in the filter string!

Always try build filters as specific as possible. It is more efficient to let the LDAP server sort out records you don't want, instead of having more records transferred over the wire than you need and throw away half of them on the client.

Tuesday, December 27, 2022

Looking at your search I have a couple of points for you. First, the search uses objectClass (non-indexed) instead of objectCategory (indexed). Huge performance issue with that query. You would most always want to combine the two together depending on what you are trying to retrieve:

(&(objectCategory=person)(objectClass=user)) = All users (no contacts)
(&(objectCategory=person)(objectClass=contact)) = All contacts (no users)
(&(objectCategory=person)) = All users and contacts

As for looking up the users in a group you can enumerate the list of member objects of the specific group. In the member attribute of the group object is the distinguishedName of each user.

This article describes enumerating members of a group...

Don't forget that you may have to handle nested groups of the parent group, as there isn't a default way to handle this with LDAP queries. For that you may need to evaluate if the member object is a group and then get the member attribute for that child group.

Lastly, you should get in the habit of specifying a dns prefix to your query.

Without DNS prefix:


With DNS prefix (all three work):


A single domain won't cause you much issue but when you try and run a search in a multiple domain environment you will get bitten without this addition. Hope this helps move you closer to your goal.

Sunday, October 30, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :