php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14693 Problem with searchin single signed LDAP base name dc=<something>
Submitted: 2001-12-25 17:08 UTC Modified: 2001-12-26 14:01 UTC
From: Dubravko dot Penezic at SRCE dot hr Assigned:
Status: Closed Package: LDAP related
PHP Version: 4.1.0 OS: Sun Solaris 2.7 (32 bit)
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: Dubravko dot Penezic at SRCE dot hr
New email:
PHP Version: OS:

 

 [2001-12-25 17:08 UTC] Dubravko dot Penezic at SRCE dot hr
<script LANGUAGE="PHP">

   $ds=ldap_connect("ds.carnet.hr");
   $r=ldap_bind($ds);

   $dn = 'dc=hr';

   $filter="(o=*)";
   $justthese = array( "dc");
 
   $sr=ldap_search($ds, $dn, $filter, $justthese);

   $info = ldap_get_entries($ds, $sr);
 
   print $info["count"]." entries returned<p>";

   ldap_close($ds);

</script>


Warning: LDAP: Unable to perform the search: No such object in /web/www/htdocs/ltest/bug.php on line 11

Warning: Supplied argument is not a valid ldap result resource in /web/www/htdocs/ltest/bug.php on line 13
entries returned

- When puting $dn equal anything else then single signed base name (dc=<something>), script work without warning.

./configure  --with-mysql --with-gd --with-ldap=/home/ldap/ldap --with-config-file-path=/usr/local/apache --prefix=/usr/local/apache --enable-ftp --with-ftp --enable-track-vars --with-apache=/opt/apache_1.3.22 --with-curl=/usr/local 

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-12-25 17:35 UTC] venaas@php.net
The problem has to do with continuation reference and which
LDAP version you use. Most LDAP libs default to v2. Please
try the following script (worked for me):

$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 1);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(o=*)";
$justthese = array( "dc");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
ldap_close($ds);
var_dump($info);

I've told it to use v3, and also to follow referrals. You
can probably omit the referrals setting, I think that's
the default, but depends on library.

I also suggest you try:

$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(objectclass=*)";
$justthese = array( "dc");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
ldap_close($ds);
var_dump($info);
I'm closing this since I don't think there's a problem.
Reopen if you disagree.
 [2001-12-25 18:27 UTC] Dubravko dot Penezic at SRCE dot hr
Thanks for fast answer, right now it works.

Why I think it is bug, simply I write code you saw in bug report, but I also test with dc=srce,dc=hr (few more) and it worked fine, I only got warnings when I put dc=hr .

I use OpenLdap 2.0.19, and v2 and v3 protocol, with referrals, ds.carnet.hr is national LDAP server with base DN dc=hr.
So in one moment LDAP function use v3 and on onther v2 protocol, that is very confused. 

Right away I check my configuration, and I think maybe is misfunctionality (bug) :) ... whay I think so 

1. My server a able to answer on v2 and v3 standard, in that case at least I will expect to got 0 for answer
2. Ldap Browser 2.8.2 by Jarek Gawor (jar) return "No entries mached" for same search using v2 protocol.

My I sugest to implement that feature in some of next realeas of LDAP functions for PHP.
 [2001-12-26 14:01 UTC] venaas@php.net
You are right, there is one problem with PHP's ldap_search(). This is a bit hard to explain, but when you search at dc=hr, there are both entries returned, and referrals (continuation references).
If you're using LDAPv2 (which is default with OpenLDAP API), the result of the search won't be LDAP_SUCCESS, and PHP's ldap_search() won't return any results (even though some entries were found).

I wanted to fix this a while ago, and at the same time be backwards compatible. I also wanted to have a way of doing parallel searches. ldap_search() will do a parallel search if the first argument is an array of link identifiers. It will then return an array of results instead of a single result. You can also use arrays for bases and filters if you don't want the same base and filter for all. I also  made ldap_search() return results even if not LDAP_SUCCESS.

Here is an example on how this can be used to get both entries and referrals with LDAPv2:

$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(ou=*)";
$srs=ldap_search(array($ds), $dn, $filter);
$sr=$srs[0];
$info = ldap_get_entries($ds, $sr);
ldap_parse_result($ds, $sr, $errcode, $matcheddn, $errmsg, $referrals);
var_dump($info, $errcode, $matcheddn, $errmsg, $referrals);

Here I use parallel search, even though I only have one server, just to get hold of the results. ldap_parse_result() is used to get the referrals and possibly other info in the result message. It could be possible to search all the referrals (even in parallel) to get more data, but when using LDAPv2 you don't get the bases, so that is problematic. Compare output of
ldapsearch  -h"ds.carnet.hr" -b"dc=hr"
with
ldapsearch -x -P2  -h"ds.carnet.hr" -b"dc=hr"
Using LDAPv3 for the initial search you would get the bases also. You can tell OpenLDAP to chase the referrals (if v3) or give them back to you. It can't chase them with v2, it would then try with wrong base and get "no such object". Because of this mess, I've only added referrals for v3 servers at ldap://ldap.uninett.no/dc=no

There is one problem with PHP and parallel searches though. It was added in 4.0.5, and works in 4.0.6, but is broken in 4.1.0. I noticed this thanks to you, and I've nox fixed it so that hopefully it will work again in 4.1.1. You can make it work in 4.1.0 by changing ldap.c as shown at
http://cvs.php.net/diff.php/php4/ext/ldap/ldap.c?r1=1.112&r2=1.113&ty=u

Everything I said about ldap_search() also hold for ldap_list() and ldap_read().

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Sep 14 13:01:27 2024 UTC