php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39291 ldap_sasl_bind() misses sasl_authc_id parameter
Submitted: 2006-10-28 14:44 UTC Modified: 2007-07-12 22:17 UTC
Votes:5
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:0 (0.0%)
From: lee dot essen at nowonline dot co dot uk Assigned: jani (profile)
Status: Closed Package: LDAP related
PHP Version: 5.1.6 OS: Solaris 10
Private report: No CVE-ID: None
 [2006-10-28 14:44 UTC] lee dot essen at nowonline dot co dot uk
Description:
------------
** Caveat: I am not an LDAP, PHP or SASL expert, so I could be a long way off the mark here **

This is similar to bug 35611 (which is marked as Bogus!) and related to 30189, but I believe the problem is with authcid and not authzid. 

ldap_sasl_bind sends the binddn as the authcid, this behaviour differs to the standard ldapsearch etc utilities when using "-U" to send a username.

This basically means that I cannot get it to bind to my ldap server, looking at the slapd debug it seems to send a username like...

username="cn=My Name,ou=People,..."

... when I look at the debug from using an ldapsearch -U it gets a username="shortname" type output.

By hacking the code to add another option (authcid) to the php ldap_sasl_bind function and sending that for the authcid instead of binddn everything works perfectly.

A simple example is that you don't need to provide a BindDN to ldapsearch if you use -U, this is because the username will be mapped by the authz-regex to a real object.

If you don't specify a binddn with PHP you get a "SASL bind in progress" error, and if you just specify a username then it fails with "invalid dn".

(I can provide a very simple patch that fixes the problem if it helps)

Reproduce code:
---------------
See description above.

Expected result:
----------------
See description above.

Actual result:
--------------
See description above.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-13 16:41 UTC] tregi at inwind dot it
Hy,
I am not an LDAP, PHP or SASL expert too, but i'm experiencing the same problem in using ldap_sasl_bind function. Using ldapsearch i can bind my LDAP server (Active Directory) only with -U option (authcid). My server has, i suppose, empty authorization and strong authentication. I try to use DIGEST-MD5 and it works with ldapsearch, but does not with php.
So, i would appreciate your help; maybe your patch can solve my problem.
Thanks.
 [2007-03-24 23:25 UTC] diafour at gmail dot com
==BEGIN php-5.1.6_ldap_sasl_bind-authcid.diff==
--- original/php-5.1.6/ext/ldap/ldap.c	2006-01-01 15:50:08.000000000 +0300
+++ work/php-5.1.6/ext/ldap/ldap.c	2007-03-25 00:50:23.000000000 +0300
@@ -499,14 +499,14 @@
 
 /* {{{ _php_sasl_setdefs
  */
-static php_ldap_bictx *_php_sasl_setdefs(LDAP *ld, char *sasl_mech, char *sasl_realm, char *binddn, char *pass, char *sasl_authz_id)
+static php_ldap_bictx *_php_sasl_setdefs(LDAP *ld, char *sasl_mech, char *sasl_realm, char *sasl_authc_id, char *pass, char *sasl_authz_id)
 {
 	php_ldap_bictx *ctx;
 
 	ctx = ber_memalloc(sizeof(php_ldap_bictx));	
 	ctx->mech    = (sasl_mech) ? ber_strdup(sasl_mech) : NULL;
 	ctx->realm   = (sasl_realm) ? ber_strdup(sasl_realm) : NULL;
-	ctx->authcid = (binddn) ? ber_strdup(binddn) : NULL;
+	ctx->authcid = (sasl_authc_id) ? ber_strdup(sasl_authc_id) : NULL;
 	ctx->passwd  = (pass) ? ber_strdup(pass) : NULL;
 	ctx->authzid = (sasl_authz_id) ? ber_strdup(sasl_authz_id) : NULL;
 
@@ -583,18 +583,19 @@
 	char *pass = NULL;
 	char *sasl_mech = NULL;
 	char *sasl_realm = NULL;
+	char *sasl_authc_id = NULL;
 	char *sasl_authz_id = NULL;
 	char *props = NULL;
-	int rc, dn_len, pass_len, mech_len, realm_len, authz_id_len, props_len;
+	int rc, dn_len, pass_len, mech_len, realm_len, authc_id_len, authz_id_len, props_len;
 	php_ldap_bictx *ctx;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ssssss", &link, &binddn, &dn_len, &pass, &pass_len, &sasl_mech, &mech_len, &sasl_realm, &realm_len, &sasl_authz_id, &authz_id_len, &props, &props_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|sssssss", &link, &binddn, &dn_len, &pass, &pass_len, &sasl_mech, &mech_len, &sasl_realm, &realm_len, &sasl_authc_id, &authc_id_len, &sasl_authz_id, &authz_id_len, &props, &props_len) == FAILURE) {
 		RETURN_FALSE;
 	}
 
 	ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
 
-	ctx = _php_sasl_setdefs(ld->link, sasl_mech, sasl_realm, binddn, pass, sasl_authz_id);
+	ctx = _php_sasl_setdefs(ld->link, sasl_mech, sasl_realm, sasl_authc_id, pass, sasl_authz_id);
 
 	if (props) {
 		ldap_set_option(ld->link, LDAP_OPT_X_SASL_SECPROPS, props); 
==BEGIN php-5.1.6_ldap_sasl_bind-authcid.diff==

I looked in sources of ldapsearch and did like that guys.

Here is ldap_sasl_bind definition from http://www.php.net/manual/ru/function.ldap-sasl-bind.php:

bool ldap_sasl_bind ( resource link [, string binddn [, string password [, string sasl_mech [, string sasl_realm [, string sasl_authz_id [, string props]]]]]] )

I've added authc_id argument to ldap_sasl_bind function into position of authz_id argument:

bool ldap_sasl_bind ( resource link [, string binddn [, string password [, string sasl_mech [, string sasl_realm [, string sasl_authc_id [, string sasl_authz_id [, string props]]]]]]] )

phplpadadmin works fine after that!
I use login_dn as "uid=username,ou=People,dc=example,dc=com". Phpldapadmin sets authz_id as "username". ldap_sasl_bind use that authz_id as authc_id.

P.S. there similar bugs 35611 and 32055
 [2007-07-12 22:09 UTC] jani@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

The provided patch is now applied in 5.2 CVS. Thanks!
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 11:01:30 2024 UTC