PHP example code to query LDAP for a user's affiliation:

<?php
// This code assumes that LDAP support is enabled for PHP, see http://us3.php.net/ldap for more info
 
// basic sequence with LDAP is connect, bind, search, interpret search
// result, close connection
 
// First we need to determine the name of the authenticated user
$authuser = $_SERVER["SSL_CLIENT_S_DN_Email"];
 
// next we strip off "@mit.edu"
$searchuser = explode( "@", $authuser );
$authuser = $searchuser[0];
 
 
echo "<h3>Affiliation determination via LDAP query test</h3>";
 
 
echo "The authenticated username is " . $authuser . "<br />";
 
 
 
// echo "Connecting ...";
 
$ds=ldap_connect("ldap.mit.edu");  // must be a valid LDAP server!
 
//echo "connect result is " . $ds . "<br />";
 
if ($ds) { 
 
//  We're just doing an anonymous query and don't need to bind...
    //   echo "Binding ..."; 
     //   $r=ldap_bind($ds);    
         //     this is an "anonymous" bind, typically
        //     read-only access
    //   echo "Bind result is " . $r . "<br />";
 
   // Search surname entry in entire directory
   $sr=ldap_search($ds, "dc=mit, dc=edu", "uid=".$authuser);  
 
   // echo "Search result is " . $sr . "<br />";
 
   if (ldap_count_entries($ds, $sr) == 0){
    echo "The entire directory was searched for (uid=" . $authuser . ") but no entry was found.<br />";
   }
 
   if (ldap_count_entries($ds, $sr) == 1){
    echo "The entire directory was searched for (uid=" . $authuser . ") and one entry was found.<br />";
   }
 
 
 
   // echo "Getting entries ...<p>";
   $info = ldap_get_entries($ds, $sr);
   // echo "Data for " . $info["count"] . " items returned:<p>";
 
   for ($i=0; $i<$info["count"]; $i++) {
       echo "<br />dn is: " . $info[$i]["dn"] . "<br />";
       echo "first cn entry is: " . $info[$i]["cn"][0] . "<br />";
       echo "first email entry is: " . $info[$i]["mail"][0] . "<br /><hr />";
   }
 
 
   echo "<br />Now we're going to search specific portions of the directory to determine what type";
   echo "of affliation this user has to MIT. This information can be used to make an authorization";
   echo "decision, if this is appropriate for your application service. <br /><br />";
 
 
   // Search for the user in the ou=employees section of the directory
   $sr=ldap_search($ds, "ou=employees, dc=mit, dc=edu", "uid=".$authuser);  
 
 
   if (ldap_count_entries($ds, $sr) == 0){
    echo $authuser . " is not an employee.<br />";
   }
 
   if (ldap_count_entries($ds, $sr) == 1){
    echo $authuser . " is an employee.<br />";
   }
 
   // Search for the user in the ou=students section of the directory
   $sr=ldap_search($ds, "ou=students, dc=mit, dc=edu", "uid=".$authuser);  
 
 
   if (ldap_count_entries($ds, $sr) == 0){
    echo $authuser . " is not a student.<br />";
   }
 
   if (ldap_count_entries($ds, $sr) == 1){
    echo $authuser . " is a student.<br />";
   }
 
 
   // Search for the user in the ou=affiliates section of the directory
   $sr=ldap_search($ds, "ou=affiliates, dc=mit, dc=edu", "uid=".$authuser);  
 
 
   if (ldap_count_entries($ds, $sr) == 0){
    echo $authuser . " is not an affliate.<br />";
   }
 
   if (ldap_count_entries($ds, $sr) == 1){
    echo $authuser . " is an affiliate.<br />";
   }
 
 
 
 
 
} else {
   echo "<h4>Unable to connect to LDAP server</h4>";
}
?>