I would like to know if it is possible to check directly in the AD, if a user belongs to a particular group, to validate it as admin or not.
I'm doing it this way:
/*
* $this->status status da conexão
* $this->ds identificador do link
* $this->dn DN base
* $this->usuario = usuário que busco no grupo
*/
public function isAdmGroup() {
if ($this->status) {
$grupo = 'CN=GrupoX,OU=Grupos,OU=Grupos de Acesso,DC=exemplo,DC=com,DC=br';
$filter = "(&(objectClass=user)(sAMAccountname=".$this->usuario.")(memberOf=".$grupo."))";
$attributes = array('memberof');
$search = ldap_search($this->ds, $this->dn, $filter, $attributes);
return ldap_get_entries($this->ds, $search);
}
}
However, it returns all user groups, and sometimes it's a large array.
I'd like to do a more objective search, just checking whether it's part of the group or not, instead of returning all the groups the user belongs to.