Hi @Renjith vr
I think there are two parts to your question,
- What is the filter required for the ldap_search_s function
- Why does the Powershell Get-ADUser work
I'm not sure I can answer question 2, as powershell uses the ADWS service and I've haven't been able to get any details from the network traces as the traffic is encrypted. But I'm making the assumption that powershell command and the ADWS may do some additional processing to find the object or its using the GC to search the forest. If you do want to get more details on this, it might be worth raising another question with the windows-server-powershell tag and see if any of the powershell expert have more insights.
But I can provide some additional information for Question 1.
With the ldap_search_s() function make sure you define the scope parameter as LDAP_SCOPE_SUBTREE to search the entire domain, if the object exists in a different domain in the same forest, you will need to complete a few additional steps, find and connect to a DC with GC and find the root DN of the forest and then use the ldap_search_s against that connection and root DN. Also if the object you are searching for has been deleted you will need to use the ldap_search_ext_s function and include the delete & restore server side controls to find the object.
It looks like you are trying to search using the user's displayname rather than the samaccountname in your filter. The displayname and samaccountname values are normally different, also the samaccountname does not contain any punctuation characters.
This is an example user:
DN> CN=Reynolds\, Gary,OU=test1,DC=w2k12,DC=local
> cn: Reynolds, Gary
> sn: Reynolds
> givenName: Gary
> distinguishedName: CN=Reynolds\, Gary,OU=test1,DC=w2k12,DC=local
> displayName: Reynolds, Gary
> name: Reynolds, Gary
> sAMAccountName: greynolds
> userPrincipalName: email@example.com
As you can see the samaccountname is different to the displayname, so you will need to use a different filter based on the attribute you are searching.
You can optimize your filter as you have extra logic operator that is not required. This would be a better filter based on a samaccountname search:
You can optimize the filter further by including an additional index:
If you want to search for the display name then filter would look like this:
There is no need to escape the comma in the search value, as this will be passed as clear text to the server to process. The disadvantage of this filter is that the displayname must be an exact match of the search value, any difference in spelling the search will fail.
You could use an Ambiguous Name Resolution (ANR) based filter which will search a number of attributes for the specified value, which will search all attributes that have the ANR_INDEX flag set on the searchflags attribute. You can use the AD: Schema Attributes ANR Indexed in NetTools to list the attributes that will be included in the ANR search.
Again, this assumes that the search value is an exact match for the value, if you want to search for reynolds or gary, then use this ANR filter:
I hope that helps.