php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45477 ldap_mod_del() fails to remove attribute
Submitted: 2008-07-10 14:14 UTC Modified: 2013-02-18 00:33 UTC
Votes:2
Avg. Score:4.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: alexis dot robert at gmail dot com Assigned:
Status: No Feedback Package: LDAP related
PHP Version: 5.2.6 OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2008-07-10 14:14 UTC] alexis dot robert at gmail dot com 
Description:
------------
Hi,

I currently work at Hachette-Livre (in Paris, France), and I rewrite their authentification system. Their previous version didn't use php_ldap to change password because it was said that the developer had given up saying that it's impossible to do it with PHP (they used a handwritten Java software called by PHP to change their password).

The fact is, that it's really impossible ! (or I'm really bad) In fact, NDS (Novell Directory Server) masks the userPassword attribute if I query it, but the doc says that users can delete/add it.

So, because this field doesn't appear in the LDAP query, ldap_mod_delete fails, saying "Unknown attribute in the data", which is pretty logic.

If I read the sourcecode, this issue doesn't seem to come from libldap, but in the PHP module (approx. line 1428). I've tried to do a patch but I'm not very keen on everything around LDAP (this is hmm the second time I cross LDAP on my way -- btw I'm 18, that explains :D ), and I don't know if it works (and so I have a server problem *with* a PHP problem) or not.

I think that the main part is guessing ldap_mods[i]->mod_type from the attribute name if we delete an attribute, but I've said that I'm not very an LDAP expert.

If you want any further informations, don't mind asking me :)

Reproduce code:
---------------
<?php

$cnx = ldap_connect("ldap://ldap.example.org");

$dn = "cn=user,ou=paris,o=example";
$pass = "php-developers-eat-kitties-and-bears";

ldap_bind($cnx,$dn,$pass);

print "REMOVE : ";
if (ldap_mod_del($cnx,$dn,array("userPassword"))) {
	print "ADD : ";
	ldap_mod_add($cnx, $dn, array("userPassword" => "php-developers-dont-eat-kitties-and-bears"));
}

?>

Expected result:
----------------
My coffee and no more "Unknown attribute in the data" (or other annoying errors which make you want to hit your computer).

Actual result:
--------------
alexis@ubuntu:~$ php bug.php
REMOVE : 
Warning: ldap_mod_del(): Unknown attribute in the data in /home/alexis/bug.php on line 11

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-11 15:01 UTC] jani@php.net 
Have you tried this:

ldap_mod_del($cnx,$dn,array('userPassword' => array()));
 [2008-07-11 15:15 UTC] alexis dot robert at gmail dot com 
It says :

REMOVE :
Warning: ldap_mod_del() [function.ldap-mod-del]: Modify: Server is unwilling to perform in C:\wamp\www\bug.php on line 11
 [2008-07-11 15:16 UTC] alexis dot robert at gmail dot com 
Hmmm ... you are right. Sorry, it works like this. I thought I have tested this case.

Now I have a LDAP issue :)

Apologies.
 [2008-07-11 15:16 UTC] jani@php.net 
Well, should you then check in the server logs WHY it doesn't want to perform?
 [2008-07-11 15:17 UTC] jani@php.net 
Works -> Bogus.
 [2008-07-11 15:59 UTC] alexis dot robert at gmail dot com 
I don't have any access to the LDAP server. I'll try to request them on Tuesday (if I had them, it would be the first thing I would check).
 [2008-07-18 11:56 UTC] alexis dot robert at gmail dot com 
OK. I've done a *lot* of researchs (trying to make TLS/SSL work, and some other fun things -- I hate certificates) and I discovered by analysing with tcpdump/wireshark that the current Java program make the delete+add orders in the same request, when my PHP software makes it in two different requests. So, NDS refuses to let the users have no userPassword attribute for a short period of time : that is the reason of the "Server unwilling to perform".

As I don't think we can queue the requests in a FIFO-like stack in php_ldap's API, is it possible to send a LDIF using php_ldap ? That sounds to be a great solution.

Thanks a lot

Alexis
 [2008-08-19 11:51 UTC] alexis dot robert at gmail dot com 
I've done a patch which fixes the bug. It creates a ldap_mod_deleteadd function which delete an attribute and adding it in the same LDAP request.

Some parts of the code is imported from pam_ldap.

This bug also appears with MS Active Directory (when you bind without admin rights).

The syntax is pretty obvious (but not very clean asap, i wanted to know if you like it before making it as pretty as ldap_mod_replace) :

ldap_mod_deleteadd(resource link, string dn, string attr, string old, string new[, boolean binary = false])

The boolean binary attribute is here for AD which uses an unicode encoded password (and so needs LDAP_MOD_BVALUES).

Currently waiting for your insults :)

Alexis

(The patch is at : http://alexis.robertlan.eu.org/tmp/001-ldap_php-add-mod_deleteadd.diff - created by cvs diff)
 [2010-04-25 15:58 UTC] alexis dot robert at gmail dot com 
Is it solved in the main tree ? Else, can somebody can review my patch and tell 
me how it is ?

I know it's a bit old (and maybe it needs a resync) but I had a lot of work to do 
this past two years for my classes.

Thanks in advance :)

Alexis
 [2010-04-25 18:00 UTC] felipe@php.net
-Status: Bogus +Status: Open
 [2010-05-21 12:11 UTC] mike@php.net
-Status: Open +Status: Feedback
 [2010-05-21 12:11 UTC] mike@php.net 
What's wrong with http://php.net/ldap_mod_replace ?
 [2013-02-18 00:33 UTC] php-bugs at lists dot php dot net 
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Open". Thank you.
 [2013-03-06 20:19 UTC] asa_martin at hotmail dot com 
The problem with ldap_mod_replace is that it performs a single replace operation. In Active Directory 
a single replace operation is the equivalent to resetting the password. To change a password one must 
delete and add. By default users have permission to change their own password but not to reset their 
own password.

From msdn http://msdn.microsoft.com/en-us/library/cc223248.aspx

When a DC receives an LDAP Modify request to modify this attribute, it follows the following 
procedure:

If the Modify request contains a delete operation containing a value Vdel for unicodePwd followed by 
an add operation containing a value Vadd for unicodePwd, the server considers the request to be a 
request to change the password. The server decodes Vadd and Vdel using the password decoding 
procedure documented later in this section. Vdel is the old password, while Vadd is the new password.

If the Modify request contains a single replace operation containing a value Vrep for unicodePwd, the 
server considers the request to be a administrative reset of the password, that is, a password 
modification without knowledge of the old password. The server decodes Vrep using the password 
decoding procedure documented later in this section and uses it as the new password.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 12:01:31 2024 UTC