|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35611 ldap_sasl_bind() sends bind DN as authc_id
Submitted: 2005-12-09 10:30 UTC Modified: 2007-07-12 22:14 UTC
From: bfg at frost dot ath dot cx Assigned:
Status: Closed Package: LDAP related
PHP Version: 5.1.1 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: bfg at frost dot ath dot cx
New email:
PHP Version: OS:


 [2005-12-09 10:30 UTC] bfg at frost dot ath dot cx
ldap_sasl_bind() sends bind DN as sasl authz id.

This is wrong ;)

Reproduce code:
        $host = "ldap://";
        $dn = "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si";
        $pw = "test";
        $realm = "PROD.EXAMPLE.ORG";
        $mech = "PLAIN";
        $authz_id = "bfg";
        $props = null;

        $r = ldap_connect($host);

        if (! $r) {
                echo "Unable to connect: \n";

        ldap_set_option($r, LDAP_OPT_PROTOCOL_VERSION, 3);
        echo "Connected, trying to bind...\n";

        $b = ldap_sasl_bind($r, $dn, $pw, $mech, $realm, $authz_id, $props);
        echo "LDAP bind: " . (($b) ? "OK" : "FAILED") . "\n";


Expected result:

... i've written php patch which i've sent to jani.

Actual result:
Dec  8 11:31:34 orion slapd[5404]: conn=113 fd=15 ACCEPT from 
IP= (IP=

LDAP: Dec  8 11:31:12 orion slapd[5404]: conn=112 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163
PHP:  Dec  8 11:31:34 orion slapd[5404]: conn=113 op=0 BIND 
dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163

LDAP: Dec  8 11:31:12 orion saslauthd[17532]: rel_accept_lock : released 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17533]: rel_accept_lock : released 
accept lock

LDAP: Dec  8 11:31:12 orion saslauthd[17533]: get_accept_lock : acquired 
accept lock
PHP:  Dec  8 11:31:34 orion saslauthd[17531]: get_accept_lock : acquired 
accept lock

Kerberos logs (ldap server authenticates against kerberos)

LDAP marked lines are produced when connecting to ldap server with ldapsearch(1), PHP marked lines are produced with php interpreter running script above.

LDAP: Dec  8 11:31:12 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) NEEDED_PREAUTH: bfg@PROD.EXAMPLE.ORG for 
krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Additional pre-authentication 
PHP:  Dec  8 11:31:34 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) CLIENT_NOT_FOUND: 
for krbtgt/PROD.EXAMPLE.ORG@PROD.EXAMPLE.ORG, Client not found in Kerberos 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-12-11 23:27 UTC]
Exactly how did you call ldapsearch program to get those results..?

 [2005-12-12 09:40 UTC] bfg at frost dot ath dot cx
$ ldapsearch -h -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN -I

Entered SASL auth username: "bfg"

The same result with:
USER="bfg" ldapsearch -h -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN

 [2005-12-12 23:27 UTC]
The authzid is passed with -X option, thus you're not doing the same as you're doing with the script.

 [2005-12-12 23:33 UTC]
Also, FYI:

  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")

(that's from ldapsearch -h output)

 [2005-12-12 23:55 UTC]
And this is a good read too:

It explains what you are doing wrong.
 [2005-12-13 00:17 UTC] bfg at frost dot ath dot cx
... well, the fact is, that i haven't found any way to authenticate against my ldap directory without that patch...

Well, when i specify -I option when running ldapsearch i can specify authz_id from interactive prompt.

The fact is, that when i specify authz_id as an function argument when calling ldap_sasl_bind(), it is *not* passed to SASL as authz_id, but bind dn is passed as authz_id instead...

I believe that this is wrong.

Well, if i'm doing something wrong somewhere, please let me know. I've read those openldap documents before i decided to patch php interpreter. But i still cannot understand why it is wrong to expect that sasl will use $authz_id as sasl authzd_id and not ldap bind dn if i explicitly specify $authz_id...

Best regards, Brane
 [2007-07-12 22:14 UTC]
We both confused authc_id with authz_id, this is now implemented in CVS.
It will be available in PHP >= 5.2.4.  
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Apr 15 16:01:28 2024 UTC