PHP :: Bug #35611 :: ldap_sasl_bind() sends bind DN as authc

Bug #35611	ldap_sasl_bind() sends bind DN as authc_id
Submitted:	2005-12-09 10:30 UTC	Modified:	2007-07-12 22:14 UTC
From:	bfg at frost dot ath dot cx	Assigned:
Status:	Closed	Package:	LDAP related
PHP Version:	5.1.1	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 23 - 8 = ?
Subscribe to this entry?

[2005-12-09 10:30 UTC] bfg at frost dot ath dot cx

Description:
------------
ldap_sasl_bind() sends bind DN as sasl authz id.

This is wrong ;)



Reproduce code:
---------------
<?php
        $host = "ldap://ldap.example.org";
        $dn = "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si";
        $pw = "test";
        $realm = "PROD.EXAMPLE.ORG";
        $mech = "PLAIN";
        $authz_id = "bfg";
        $props = null;

        $r = ldap_connect($host);

        if (! $r) {
                echo "Unable to connect: \n";
                exit(1);
        }

        ldap_set_option($r, LDAP_OPT_PROTOCOL_VERSION, 3);
        echo "Connected, trying to bind...\n";

        $b = ldap_sasl_bind($r, $dn, $pw, $mech, $realm, $authz_id, $props);
        echo "LDAP bind: " . (($b) ? "OK" : "FAILED") . "\n";

?>


Expected result:
----------------
OK

... i've written php patch which i've sent to jani.

Actual result:
--------------
Dec  8 11:31:34 orion slapd[5404]: conn=113 fd=15 ACCEPT from 
IP=192.168.2.232:55217 (IP=0.0.0.0:389)


LDAP: Dec  8 11:31:12 orion slapd[5404]: conn=112 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163
PHP:  Dec  8 11:31:34 orion slapd[5404]: conn=113 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163



LDAP: Dec  8 11:31:12 orion saslauthd[17532]: rel_accept_lock : released 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17533]: rel_accept_lock : released 
accept lock


LDAP: Dec  8 11:31:12 orion saslauthd[17533]: get_accept_lock : acquired 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17531]: get_accept_lock : acquired 
accept lock
FAILED

Kerberos logs (ldap server authenticates against kerberos)

LDAP marked lines are produced when connecting to ldap server with ldapsearch(1), PHP marked lines are produced with php interpreter running script above.

LDAP: Dec  8 11:31:12 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 
195.250.198.144: NEEDED_PREAUTH: bfg@PROD.EXAMPLE.ORG for 
krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Additional pre-authentication 
required
PHP:  Dec  8 11:31:34 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 
195.250.198.144: CLIENT_NOT_FOUND: 
uid=bfg,ou=users,ou=unix,ou=production,dc=examle,dc=si@PROD.EXAMPLE.ORG 
for krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Client not found in Kerberos 
database

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-12-11 23:27 UTC] sniper@php.net

Exactly how did you call ldapsearch program to get those results..?

[2005-12-12 09:40 UTC] bfg at frost dot ath dot cx

$ ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN -I

Entered SASL auth username: "bfg"

The same result with:
USER="bfg" ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN

:)

[2005-12-12 23:27 UTC] sniper@php.net

The authzid is passed with -X option, thus you're not doing the same as you're doing with the script.

[2005-12-12 23:33 UTC] sniper@php.net

Also, FYI:

  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")

(that's from ldapsearch -h output)

[2005-12-12 23:55 UTC] sniper@php.net

And this is a good read too:
http://www.openldap.org/devel/admin/guide.html#Using%20SASL

It explains what you are doing wrong.

[2005-12-13 00:17 UTC] bfg at frost dot ath dot cx

... well, the fact is, that i haven't found any way to authenticate against my ldap directory without that patch...

Well, when i specify -I option when running ldapsearch i can specify authz_id from interactive prompt.

The fact is, that when i specify authz_id as an function argument when calling ldap_sasl_bind(), it is *not* passed to SASL as authz_id, but bind dn is passed as authz_id instead...

I believe that this is wrong.

Well, if i'm doing something wrong somewhere, please let me know. I've read those openldap documents before i decided to patch php interpreter. But i still cannot understand why it is wrong to expect that sasl will use $authz_id as sasl authzd_id and not ldap bind dn if i explicitly specify $authz_id...


Best regards, Brane

[2007-07-12 22:14 UTC] jani@php.net

We both confused authc_id with authz_id, this is now implemented in CVS.
It will be available in PHP >= 5.2.4.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 16:00:01 2025 UTC