php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35611 ldap_sasl_bind() sends bind DN as authc_id
Submitted: 2005-12-09 10:30 UTC Modified: 2007-07-12 22:14 UTC
From: bfg at frost dot ath dot cx Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.1.1 OS: linux
Private report: No CVE-ID:
 [2005-12-09 10:30 UTC] bfg at frost dot ath dot cx
Description:
------------
ldap_sasl_bind() sends bind DN as sasl authz id.

This is wrong ;)



Reproduce code:
---------------
<?php
        $host = "ldap://ldap.example.org";
        $dn = "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si";
        $pw = "test";
        $realm = "PROD.EXAMPLE.ORG";
        $mech = "PLAIN";
        $authz_id = "bfg";
        $props = null;

        $r = ldap_connect($host);

        if (! $r) {
                echo "Unable to connect: \n";
                exit(1);
        }

        ldap_set_option($r, LDAP_OPT_PROTOCOL_VERSION, 3);
        echo "Connected, trying to bind...\n";

        $b = ldap_sasl_bind($r, $dn, $pw, $mech, $realm, $authz_id, $props);
        echo "LDAP bind: " . (($b) ? "OK" : "FAILED") . "\n";

?>


Expected result:
----------------
OK

... i've written php patch which i've sent to jani.

Actual result:
--------------
Dec  8 11:31:34 orion slapd[5404]: conn=113 fd=15 ACCEPT from 
IP=192.168.2.232:55217 (IP=0.0.0.0:389)


LDAP: Dec  8 11:31:12 orion slapd[5404]: conn=112 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163
PHP:  Dec  8 11:31:34 orion slapd[5404]: conn=113 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163



LDAP: Dec  8 11:31:12 orion saslauthd[17532]: rel_accept_lock : released 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17533]: rel_accept_lock : released 
accept lock


LDAP: Dec  8 11:31:12 orion saslauthd[17533]: get_accept_lock : acquired 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17531]: get_accept_lock : acquired 
accept lock
FAILED

Kerberos logs (ldap server authenticates against kerberos)

LDAP marked lines are produced when connecting to ldap server with ldapsearch(1), PHP marked lines are produced with php interpreter running script above.

LDAP: Dec  8 11:31:12 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 
195.250.198.144: NEEDED_PREAUTH: bfg@PROD.EXAMPLE.ORG for 
krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Additional pre-authentication 
required
PHP:  Dec  8 11:31:34 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 
195.250.198.144: CLIENT_NOT_FOUND: 
uid=bfg,ou=users,ou=unix,ou=production,dc=examle,dc=si@PROD.EXAMPLE.ORG 
for krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Client not found in Kerberos 
database


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-11 23:27 UTC] sniper@php.net
Exactly how did you call ldapsearch program to get those results..?

 [2005-12-12 09:40 UTC] bfg at frost dot ath dot cx
$ ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN -I

Entered SASL auth username: "bfg"

The same result with:
USER="bfg" ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN

:)
 [2005-12-12 23:27 UTC] sniper@php.net
The authzid is passed with -X option, thus you're not doing the same as you're doing with the script.

 [2005-12-12 23:33 UTC] sniper@php.net
Also, FYI:

  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")

(that's from ldapsearch -h output)

 [2005-12-12 23:55 UTC] sniper@php.net
And this is a good read too:
http://www.openldap.org/devel/admin/guide.html#Using%20SASL

It explains what you are doing wrong.
 [2005-12-13 00:17 UTC] bfg at frost dot ath dot cx
... well, the fact is, that i haven't found any way to authenticate against my ldap directory without that patch...

Well, when i specify -I option when running ldapsearch i can specify authz_id from interactive prompt.

The fact is, that when i specify authz_id as an function argument when calling ldap_sasl_bind(), it is *not* passed to SASL as authz_id, but bind dn is passed as authz_id instead...

I believe that this is wrong.

Well, if i'm doing something wrong somewhere, please let me know. I've read those openldap documents before i decided to patch php interpreter. But i still cannot understand why it is wrong to expect that sasl will use $authz_id as sasl authzd_id and not ldap bind dn if i explicitly specify $authz_id...


Best regards, Brane
 [2007-07-12 22:14 UTC] jani@php.net
We both confused authc_id with authz_id, this is now implemented in CVS.
It will be available in PHP >= 5.2.4.  
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 17 01:01:56 2014 UTC