php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #47222 Ldap error messages are very unprecise
Submitted: 2009-01-27 10:16 UTC Modified: 2015-06-17 13:44 UTC
Votes:65
Avg. Score:4.7 ± 0.6
Reproduced:57 of 59 (96.6%)
Same Version:23 (40.4%)
Same OS:29 (50.9%)
From: webe4703 at uni-trier dot de Assigned: mcmic (profile)
Status: Closed Package: LDAP related
PHP Version: 5.2.8 OS: Linux (Ubuntu)
Private report: No CVE-ID: None
 [2009-01-27 10:16 UTC] webe4703 at uni-trier dot de
Description:
------------
Hi,

Let's assume, that we are connecting to an MS AD Server.
And the user has set the flag, that he must reset his password.
( Therefore the user isn't permitted to login until he has reset his password. )

What kind of message do we when the Bind command fails?
Code:
  $ds=ldap_connect($host);
  if (!ldap_bind($ds, $username, $password)) {
        printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
        printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
  }
The output is the following:
  LDAP-Fehlernummer: 49
  LDAP-Fehler: Invalid credentials

Ok, php told us, that the bind failed.

But let's switch to the console, and take a look at the output, that ldap-search will give us:
Command:
  ldapsearch -x -H ldap://der-ad-server.de:389 -D accountname@der-ad-server.de -W
Output:
  ldap_bind: Invalid credentials (49)
             additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771

The first line is the same, but ldapsearch shows another line. This line is very useful, because we can now read out the error code the AD told us. (773)

An the active directory has several interesting codes:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
531 - not permitted to logon from this computer
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
775 - account locked

As you see a more precise error message (similar to ldapsearch), would give a php developer much more information on what went wrong and not just a failed message...


Reproduce code:
---------------
  $ds=ldap_connect($host);
  if (!ldap_bind($ds, $username, $password)) {
        printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
        printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
  }


VERSUS

  ldapsearch -x -H ldap://der-ad-server.de:389 -D 

Expected result:
----------------
A more precise error message.
Perhaps something like:
  LDAP-Fehlernummer: 49
  LDAP-Fehler: Invalid credentials, additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771

Actual result:
--------------
A very unprecise error message:
  LDAP-Fehlernummer: 49
  LDAP-Fehler: Invalid credentials

Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-01-23 21:19 UTC] jani@php.net
-Package: Feature/Change Request +Package: LDAP related
 [2011-05-24 18:45 UTC] post at rolandgruber dot de
Hi,

it would be great if this could be fixed. It is impossible to give e.g. precise error messages to users if PHP only returns a generic error message.

One more example:

User wants to change password but ppolicy blocks the change because of password reuse.

The LDAP server sends 19: constraint violation (Password is in history of old passwords)
PHP returns: 19: constraint violation


This makes it impossible to provide a useful error message to a user. :(
 [2013-04-11 13:08 UTC] carmageddon at gmail dot com
I found a partial implementation of this feature in Python, inspecting the 
Python's source for this might shorten the time to bring this feature to PHP:

http://mail.python.org/pipermail/python-ldap/2012q2/003129.html

Hope that helps, we really need this!

Thanks
 [2015-03-02 14:12 UTC] johnnywiller10 at gmail dot com
Anyone has an workaround to this?
 [2015-03-02 14:12 UTC] johnnywiller10 at gmail dot com
Anyone has an workaround to this?
 [2015-03-02 14:12 UTC] johnnywiller10 at gmail dot com
Anyone has an workaround to this?
 [2015-03-02 14:37 UTC] daniellucenag at gmail dot com
I need to change a password of a user in AD, but the error code is very much generic! this request is perfect for my problem! please solve this!
 [2015-03-02 18:12 UTC] johnnywiller10 at gmail dot com
See my answer in SO to solve the problem

http://stackoverflow.com/questions/28765077/get-number-of-ad-errors-with-ldap-and-php-ldap-function-return-unprecise-error/28816473#28816473
 [2015-03-02 20:25 UTC] post at rolandgruber dot de
Here is a workaround:

$ldapMsg = null;
ldap_get_option($server, LDAP_OPT_ERROR_STRING, $ldapMsg);
 [2015-03-02 20:46 UTC] johnnywiller10 at gmail dot com
rolandgruber, this way don't works, does not show the extended error string.
This way you show, is equals to ldap_error($link_identifier).
 [2015-03-03 12:18 UTC] daniellucenag at gmail dot com
hi johnnywiller10, thanks!! i'm implement your solution, but what is this $ad_mode variable? thanks!
 [2015-03-03 12:32 UTC] johnnywiller10 at gmail dot com
Sorry daniellucenag, where did you see that variable? I don't see any $ad_mode
 [2015-03-03 12:37 UTC] daniellucenag at gmail dot com
Oh.. sorry this solution is not yours...  http://tools.lsc-project.org/attachments/508/ssp.patch haha...
 [2015-03-03 12:40 UTC] johnnywiller10 at gmail dot com
Hehe, ok... :)
 [2015-03-03 13:17 UTC] daniellucenag at gmail dot com
Thank you johnnywiller10, you solution works perfect! when you came to Brazilian > Minas Gerais > Belo Horizonte, i will pay you a coffe with a 'pão de queijo'/bread of cheese! contact me if this day come!
 [2015-03-03 13:20 UTC] johnnywiller10 at gmail dot com
Pão de queijo mineirinho, delicia! Eu moro em Santa Catarina, mas pretendo visitar MG, assim que for lhe aviso, vou cobrar hein! heheeh
 [2015-03-03 13:25 UTC] daniellucenag at gmail dot com
Porra mano, me fazendo arranhar o inglês aqui hahahhaha... Quando resolver subir a serra é só falar! Abraço!
 [2015-03-03 13:44 UTC] johnnywiller10 at gmail dot com
kkkk, eu não sabia uai.. Pode deixar, abraço!
 [2015-05-05 19:43 UTC] andreas at heigl dot org
This issue is addressed by https://github.com/php/php-src/pull/1261.

After that PR is merged you can use the solution provided by Johnny Willer in http://stackoverflow.com/questions/28765077/get-number-of-ad-errors-with-ldap-and-php-ldap-function-return-unprecise-error/28816473#28816473 without having to define the constant as it is already defined.

You will then be able to retrieve extended error messages using 

ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $extended_error);
 [2015-05-05 20:20 UTC] johnnywiller10 at gmail dot com
Thanks Andreas
 [2015-06-17 13:44 UTC] mcmic@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: mcmic
 [2015-06-17 13:44 UTC] mcmic@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC