dept-staff/index.php

<?php

if(!isset($_SERVER['REMOTE_USER'])) {
    die("Need username.");
}

$conn = ldap_connect('ldaps://ldap.su.se');

function search($term, ...$attributes) {
    global $conn;
    $result = ldap_search($conn,
                          "dc=su,dc=se",
                          $term,
                          $attributes);
    return ldap_get_entries($conn, $result);
}


$user = explode('@', $_SERVER['REMOTE_USER'])[0];

$member = 'memberof';
$epa = 'edupersonaffiliation';

$result = search("uid=$user", $member, $epa);

if($result['count'] != 1) {
    die("Too many matching users: ".$result['count']);
}

$result = $result[0];

$is_employee = in_array('employee', $result[$epa]);

if(!$is_employee) {
    die("Not an employee: $user");
}

$memberships = $result[$member];

$deptgroup = '';
foreach($memberships as $group) {
    # LDAP results aren't proper lists, this is a lazy hack
    if(!is_string($group)) {
        continue;
    }
    # This assumes $user has only one group ending in -staff
    if(preg_match('/^cn=[^-]+-staff,.+/', $group)) {
        $deptgroup = $group;
        break;
    }
}

if(!$deptgroup) {
    die("Could not find a department group for $user.");
}

$deptpeople = search("$member=$deptgroup", 'cn', 'mail');

for($i = 0; $i < $deptpeople['count']; $i++) {
    $u = $deptpeople[$i]['cn'][0];
    $m = $deptpeople[$i]['mail'][0];
    echo "$u &lt;$m&gt;";
    echo "<br/>";
}
?>