Some var_dump() here and there will reveal you why your script doesn't work. Not PHP bug.

I added:

var_dump($info[$i][$data][$jj]);

to the output of the test script and got this output for the last two values of the array for that attribute:

0 1 11 memberof:  CN=Domain Users,CN=Users,DC=rhodes,DC=edu
string(41) "CN=Domain Users,CN=Users,DC=rhodes,DC=edu"
0 1 12 memberof:  
NULL 

Now, I know that there are 13 LDAP values for this attribute (memberof). I can see this in various LDAP tools pointed to Active Directory for this user. And, when I do a:

count($info[$i][memberof]);

I get 13, which is correct.

As you can see, the final value has a key value in the array for this attribute, but no data is returned with that key. Obviously, PHP is not putting the last value for that attribute in the array but has created a key value to hold the data.

How is this a problem in the script? Looks like a bug in PHP to me...

Please provide access to this 'active directory' thing.
(If you can't, we can't fix it either)

I obviously can't provide general access for testing to our Active Directory server, because you need an account on the Active Directory server to even search the directory, as with most LDAP servers.

I find it strange that no one has seen this before, because Microsoft's Active Directory is probably the most widely-used commercial LDAP server in the world.

However, it is obvious that, if an attribute has 13 values when looking at it via another LDAP query tool and if PHP thinks that it has the same number of values because it creates that many keys in the array, the error must be that PHP is not setting the last value in the array (for which there already is a key) or Active Directory is not giving the last value to PHP for it to set in the array.

Is anyone else using AD and PHP/LDAP seeing similar behavior? Can we not put this in feedback mode and request more information?

PHP uses OpenLDAP libraries for ldap functionality in the windows binaries. So try your query with the openldap 'ldapsearch.exe' found in this package:

http://prdownloads.sf.net/acctsync/openldap-binaries-2.1.16-04APR03.zip

It appears that ldapsearch at that URL is not compiled with Kerberos support, which may be required to search Active Directory LDAP servers. I'm still doing research, however...

D:\openldap\bin>ldapsearch -LLL -H ldap://someserver.rhodes.edu -P 3 -D pennington -k
ldapsearch: not compiled with Kerberos support

I tried it with just SASL and that wasn't appreciated either:

D:\openldap\bin>ldapsearch -LLL -H ldap://someserver.rhodes.edu -P 3 -D pennington -I
ldap_sasl_interactive_bind_s: Unknown authentication method (86)
        additional info: SASL(-4): no mechanism available: Unable to find a call
back: 2

Can anyone verify that Kerberos support is required to search Active Directory LDAP servers? Is anyone using the OpenLDAP ldapsearch program to search Active Directory LDAP servers? If so, what kind of command should I use to get ldapsearch to search Active Directory?

I am using "CN=Users,DC=rhodes,DC=edu" for the Base DN, "CN=_search_value_" for the name to search for, and to bind to the Active Directory LDAP server, you have to use this string as the username: "CN=_authorized_user_,CN=Users,DC=rhodes,DC=edu"

There is no kerberos support in PHP ldap either, and that partially works, so why would you need it with the command line binary?

OK, you're right, after a few minutes, I found an ldapsearch command that would work:

ldapsearch -x -b "CN=_some_user_,CN=Users,DC=rhodes,DC=edu" -D "CN=_search_auth_user_,CN=Users,DC=rhodes,DC=edu" -H ldap://someserver.rhodes.edu -W

The "memberof" attribute results look like this:

memberOf: CN=STAFF_DL,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=Planning,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=FACSTAFF,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=Council,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=PRESIDENT,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=FACTBOOK,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=INFO_SERVICES,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=CABINET,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=Senior2006,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu
memberOf: CN=NT Users,CN=Users,DC=rhodes,DC=edu
memberOf: CN=NTSETUP,CN=Users,DC=rhodes,DC=edu
memberOf: CN=Domain Users,CN=Users,DC=rhodes,DC=edu

Again, only 12 results were returned rather than the 13 that exist there in Active Directory.

However, I've started doing a count based on attributes found by ldapsearch and Softerra's LDAPBrowser (which I think also uses openldap) and found that people missing an attibute value in ldapsearch were missing the same value in LDAPBrowser.

Anyway, I think what we are down to is one of two possibilities:

1) OpenLDAP's search tool is not receiving all attribute values for a particular search; or

2) Active Directory is not supplying the missing value when queried for it using LDAP but does reply properly when Microsoft admin tools are used.

I guess we could solve this if someone knows a good, freely-available, non-openldap-based LDAP search utility.

Regardless, this doesn't look like a PHP bug per se, thought it could be a OpenLDAP bug that has found its way into PHP with the rest of the OpenLDAP code...

We only wrap around the OpenLDAP libraries. So it's definately  not PHP bug -> bogus.

You should report this to the openldap folks, they propably already know about it or are very willing to fix it if it's not already fixed. Please let us know what the response is so we can possibly update the used openldap libraries in the win32 binaries build.

Hi, I'm seeing your post 6 months too late, but let me alert you to something that I found after similar grief with AD.

It turns out that ONE of the AD group memberships, (in our case 'Domain Users', in your case perhaps one of the others), is handled "differently" in AD.  It will be the one listed as the "default" group when you look up a user in any AD admin tool, and incredibly it just doesn't get fed back to you by AD when you ask for the memberOf attribute using any standard LDAP technique.
I vaguely remember an MSDN KB article describing an astonishingly complex workaround for victims of this behaviour using ADSI.. sorry I have no link to it now.
Our solution was to accept that the so-called "default" group for each user is just not treated properly by AD in its LDAP interface.  It's a special case.

Info@dbnet:

I appreciate you posting your note about the unique way in which the "Domain Users" group is handled (I didn't know that at all - very interesting), I think my problem reported with this bug is actually a different issue.

Even if I assumed that the number of groups returned by LDAP query is 1 less than the actual total (such as if the Domain Users group wasn't counted), I still can't get a listing of all AD groups. One of the groups, which seems to be selected at random (i.e. it is not always Domain Users) is simply left out. If I change the array loop to purposefully give me more members of the LDAP group array than the person actually has groups, I still don't get all of that person's groups.

In other words, the problem isn't limited to the Domain User's group - LDAP through PHP simply does not let me see every one of the person's groups. For some reason (and it is related to the OpenLDAP libraries PHP uses), one of the groups, randomly selected, is always dropped.

hey pennington! i am having this exact same problem as well, although i have only started playing with php/ldap support for active directory yesterday.  i realize that you have had this open for a very long time and wondered if you have found any other useful information.  i am using win2k server and php 4.3.5rc1. i did, however, want to confirm that i am having this problem as well, in reponse to your frusteration "I find it strange that no one has seen this before, because Microsoft's Active Directory is probably the most widely-used commercial LDAP server in the world."  apparently not many "microsoft shops" are thinking outside of the box or looking to develop opensource solutions, well...at least not based on active directory.  anyway, the problem is plain to see.  here's the breakdown for everyone:

you count the number of memberships that a user is part of in the "Member Of" tab in the admin program for active directory on your domain controller, and it is one more that php returns with its builtin supprt.  one is missing, and it depends per user.  it's simple as that.  here is one interesting thing though, and that is for every test that i have run, the "memberof value" that is not returned by php is ALWAYS the primary group that the user is set to in active directoy.  its the little button you hit at the bottom of the "Member Of" tab.  whatever is set there will not be returned in the memberof values of php's ldap support.  any thoughts anyone has would be greatly appreciated, or please provide a link to the solution if i have thick-headedly missed it in my extensive searches...

thanks, wes

Wes, thanks for confirming this bug for me. Yes, it is frustrating. PHP (especially the sniper@php.net person) basically refuse to belive this is a bug, and they say that even if it is, they use the OpenLDAP libraries so they can do nothing about it. I pursued this with the OpenLDAP folks (after verifying that this bug also happens on a variety of platforms running OpenLDAP, including Windows and Linux), and they just ignored me. I'm not sure who else to notify about it or how to get it fixed.

We sorta worked around the bug here in the application we were building by looking for a particular attribute in a user's Active Directory record via LDAP, such as Department or Position. We test for a particular value there instead of querying by AD group, which is much better way of doing it.

Your note about primary groups being the ones left out of the list is interesting. I'll have to check that out. Thanks.

hey pennington, thanks for the quick response!  anyway, i have been searching around some more information, but due to my relative inexperience in this area (admittedly) some of this stuff is way over my head.  it seems that at least this first article from our buddies at microsoft indicated this is a known issue/feature...

http://support.microsoft.com/default.aspx?scid=kb;en-us;275523

this second article kinda addresses it too, but it is pretty confusing to me. it mentions the possibility of doing something with the primarygroupid instead.

http://support.microsoft.com/default.aspx?scid=kb;en-us;321360

anyway it seems that this problem exists in microsoft's active directory, although i have no idea if it is exclusive to AD or not, but AD is the current "solution" we are using for LDAP here.  the solutions and workarounds seem to be far beyond my skill level and patience, and since i am just trying to learn, and not necessarily NEEDING this solution, i really probably should move on i guess, but i leave this area darn frusterated.  maybe this is a combo AD/PHP bug, or maybe PHP is just handing the AD bug...errrr feature, as best it can.  i know i'm not much help here, but sometimes that affirmation in knowing you are not the only one on earth having the problem helps bring some closure...

good luck!  let me know if you need me to help test anything.

wes

Wes, I think you have really hit on the source of the problem here, and it is actually based with how Microsoft Active Directory reports/stores group information and what most people would expect when they query for that information. The document you linked to covers this issue well:

http://support.microsoft.com/default.aspx?scid=kb;en-us;275523

I did some testing and, sure enough, Active Directory does not report back the user's primary group as a part of the memberof attribute. Rather, the primary group is reported as the group ID number in the PrimaryGroupID attribute.

I think that most people expect to get all of a user's groups in the memberof attribute, even the one set to primary group, but this is not the way Active Directory is configured. (The link above is truly a perfect example of dodging a bug and calling it a feature.)

Now that we know this, we can simply look up the PrimaryGroupID number and try to determine what that group is and then add that to the conditional statement looking for a match to the group we are using to protect access. However, we have yet to find a method to look up an Active Directory group name using the group's ID number via LDAP.

For example, if we query for PrimaryGroupID via LDAP for a user in AD, we get this response:

primarygroupid:  1448

The issue is how do we turn the 1448 number into the actual name of the group, which is returned by the memberof attribute like this:

CN=STAFF,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu

Anyone have any ideas?

See http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=uGurWNlJBHA.1720%40tkmsftngp07&rnum=4

The key phrase in the posted link is: "do an
additional LDAP search for all users who have the attribute primaryGroupID equal to the groups attribute primaryGroupToken". I've done similar to this, but with one query for all groups' distinguishedName and primaryGroupToken and another query for all users' distinguishedName and primaryGroupID. Then matched and sorted in code -- this is much faster than taking the overhead of multiple ldapsearch queries.