|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #39291 ldap_sasl_bind() misses sasl_authc_id parameter
Submitted: 2006-10-28 14:44 UTC Modified: 2007-07-12 22:17 UTC
Avg. Score:5.0 ± 0.0
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:0 (0.0%)
From: lee dot essen at nowonline dot co dot uk Assigned: jani
Status: Closed Package: LDAP related
PHP Version: 5.1.6 OS: Solaris 10
Private report: No CVE-ID:
 [2006-10-28 14:44 UTC] lee dot essen at nowonline dot co dot uk
** Caveat: I am not an LDAP, PHP or SASL expert, so I could be a long way off the mark here **

This is similar to bug 35611 (which is marked as Bogus!) and related to 30189, but I believe the problem is with authcid and not authzid. 

ldap_sasl_bind sends the binddn as the authcid, this behaviour differs to the standard ldapsearch etc utilities when using "-U" to send a username.

This basically means that I cannot get it to bind to my ldap server, looking at the slapd debug it seems to send a username like...

username="cn=My Name,ou=People,..."

... when I look at the debug from using an ldapsearch -U it gets a username="shortname" type output.

By hacking the code to add another option (authcid) to the php ldap_sasl_bind function and sending that for the authcid instead of binddn everything works perfectly.

A simple example is that you don't need to provide a BindDN to ldapsearch if you use -U, this is because the username will be mapped by the authz-regex to a real object.

If you don't specify a binddn with PHP you get a "SASL bind in progress" error, and if you just specify a username then it fails with "invalid dn".

(I can provide a very simple patch that fixes the problem if it helps)

Reproduce code:
See description above.

Expected result:
See description above.

Actual result:
See description above.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2006-12-13 16:41 UTC] tregi at inwind dot it
I am not an LDAP, PHP or SASL expert too, but i'm experiencing the same problem in using ldap_sasl_bind function. Using ldapsearch i can bind my LDAP server (Active Directory) only with -U option (authcid). My server has, i suppose, empty authorization and strong authentication. I try to use DIGEST-MD5 and it works with ldapsearch, but does not with php.
So, i would appreciate your help; maybe your patch can solve my problem.
 [2007-03-24 23:25 UTC] diafour at gmail dot com
==BEGIN php-5.1.6_ldap_sasl_bind-authcid.diff==
--- original/php-5.1.6/ext/ldap/ldap.c	2006-01-01 15:50:08.000000000 +0300
+++ work/php-5.1.6/ext/ldap/ldap.c	2007-03-25 00:50:23.000000000 +0300
@@ -499,14 +499,14 @@
 /* {{{ _php_sasl_setdefs
-static php_ldap_bictx *_php_sasl_setdefs(LDAP *ld, char *sasl_mech, char *sasl_realm, char *binddn, char *pass, char *sasl_authz_id)
+static php_ldap_bictx *_php_sasl_setdefs(LDAP *ld, char *sasl_mech, char *sasl_realm, char *sasl_authc_id, char *pass, char *sasl_authz_id)
 	php_ldap_bictx *ctx;
 	ctx = ber_memalloc(sizeof(php_ldap_bictx));	
 	ctx->mech    = (sasl_mech) ? ber_strdup(sasl_mech) : NULL;
 	ctx->realm   = (sasl_realm) ? ber_strdup(sasl_realm) : NULL;
-	ctx->authcid = (binddn) ? ber_strdup(binddn) : NULL;
+	ctx->authcid = (sasl_authc_id) ? ber_strdup(sasl_authc_id) : NULL;
 	ctx->passwd  = (pass) ? ber_strdup(pass) : NULL;
 	ctx->authzid = (sasl_authz_id) ? ber_strdup(sasl_authz_id) : NULL;
@@ -583,18 +583,19 @@
 	char *pass = NULL;
 	char *sasl_mech = NULL;
 	char *sasl_realm = NULL;
+	char *sasl_authc_id = NULL;
 	char *sasl_authz_id = NULL;
 	char *props = NULL;
-	int rc, dn_len, pass_len, mech_len, realm_len, authz_id_len, props_len;
+	int rc, dn_len, pass_len, mech_len, realm_len, authc_id_len, authz_id_len, props_len;
 	php_ldap_bictx *ctx;
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|ssssss", &link, &binddn, &dn_len, &pass, &pass_len, &sasl_mech, &mech_len, &sasl_realm, &realm_len, &sasl_authz_id, &authz_id_len, &props, &props_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|sssssss", &link, &binddn, &dn_len, &pass, &pass_len, &sasl_mech, &mech_len, &sasl_realm, &realm_len, &sasl_authc_id, &authc_id_len, &sasl_authz_id, &authz_id_len, &props, &props_len) == FAILURE) {
 	ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
-	ctx = _php_sasl_setdefs(ld->link, sasl_mech, sasl_realm, binddn, pass, sasl_authz_id);
+	ctx = _php_sasl_setdefs(ld->link, sasl_mech, sasl_realm, sasl_authc_id, pass, sasl_authz_id);
 	if (props) {
 		ldap_set_option(ld->link, LDAP_OPT_X_SASL_SECPROPS, props); 
==BEGIN php-5.1.6_ldap_sasl_bind-authcid.diff==

I looked in sources of ldapsearch and did like that guys.

Here is ldap_sasl_bind definition from

bool ldap_sasl_bind ( resource link [, string binddn [, string password [, string sasl_mech [, string sasl_realm [, string sasl_authz_id [, string props]]]]]] )

I've added authc_id argument to ldap_sasl_bind function into position of authz_id argument:

bool ldap_sasl_bind ( resource link [, string binddn [, string password [, string sasl_mech [, string sasl_realm [, string sasl_authc_id [, string sasl_authz_id [, string props]]]]]]] )

phplpadadmin works fine after that!
I use login_dn as "uid=username,ou=People,dc=example,dc=com". Phpldapadmin sets authz_id as "username". ldap_sasl_bind use that authz_id as authc_id.

P.S. there similar bugs 35611 and 32055
 [2007-07-12 22:09 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

The provided patch is now applied in 5.2 CVS. Thanks!
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 21:01:34 2017 UTC