php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #51638 LDAP and Referrals
Submitted: 2010-04-22 19:07 UTC Modified: 2017-01-09 16:48 UTC
Votes:4
Avg. Score:4.8 ± 0.4
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:4 (100.0%)
From: marco at forgetaboutit dot net Assigned:
Status: Open Package: LDAP related
PHP Version: 7.1 OS: ALL
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2010-04-22 19:07 UTC] marco at forgetaboutit dot net
Description:
------------
I am trying to get a php application to follow ldap referrals, specifically when the local server is a slave, and is used as a read-only server for performance reasons, but has to write to a master server in order to add, modify or delete records.

As far as I can tell all I need are three things.

A) Set LDAP_OPT_REFERRALS to 1 using ldap_set_options()
B) Set a callback function using ldap_set_rebind_proc()
C) Create a very simple rebind function.

The problem is that there is no documentation on the subject. For example, when I check LDAP_OPTS_REFERRALS using ldap_get_options(), I get an answer of either 0 (when I set it to 0 or false), and an answer of -1 (minus or dash 1) for any other setting, including 1 and TRUE, and it appears that the callback function isn't called.


If someone can explain how it is supposed to work enough for me to get it working, I am happy to provide documentation / examples 

Test script:
---------------
    ldap_set_option($LDAP_CON, LDAP_OPT_REFERRALS, 1);
    ldap_set_rebind_proc($LDAP_CON, rebind_on_referral);

...

function rebind_on_referral ($link_id, $ldap_url) {
    $binddn = $_SESSION['ldapab']['binddn'];
    $bindpw = $_SESSION['ldapab']['password'];

    if (!ldap_bind($link_id,$binddn,$bindpw)) return 1; // Error
    else return 0; // Success
}


Expected result:
----------------
callback function should be called, application should rebind to new ldap server and user should notice nothing

Actual result:
--------------
PHP appears to ignore the referral and ldap_error returns a "referral" message.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-05-21 17:54 UTC] marco at forgetaboutit dot net
Doing some monitoring with TCPDUMP, I can confirm that the local LDAP server is returning the correct referral information, and then the web server is performing a DNS lookup on the ldap referral URL. Then it would seem that PHP just tries the localhost again without running the procedure specified in ldap_set_rebind_proc.
 [2010-07-20 15:40 UTC] art dot vanscheppingen at spilgames dot com
We have the exact same problem.
Referrals do work correctly using the cli ldapmodify and with the exact same setup it doesn't work under PHP.

I tried setting the LDAP_OPT_REFERRALS to either 1, LDAP_OPT_ON and true, but neither of them resulted in anything else than the default -1. Setting the value to 0 does have effect though, but doesn't do anything either.

I set the LDAP server to a read only server, but that resulted in a LDAP error.
 [2010-10-22 15:46 UTC] kalle@php.net
-Package: LDAP related +Package: Documentation problem
 [2010-10-23 15:26 UTC] kalle@php.net
-Summary: LDAP Referrals +Summary: LDAP and Referrals -Type: Documentation Problem +Type: Bug -Package: Documentation problem +Package: LDAP related
 [2010-10-23 15:26 UTC] kalle@php.net
After reviewing this bug some more, it looks more to me like its an actual issue in the ldap extension in PHP, so moving it to that category where hopefully one of the maintainers can pick it up and decide if its indeed an issue in the ldap extension or lacking documentation.
 [2011-02-26 20:19 UTC] marco at forgetaboutit dot net
I have now spent quite a lot of time working on this issue, and looking at tcpdumps it is very clear that there are major issues in the way php handles add, modify and delete referrals. I believe this is due to the fact that the tests used to validate the code are also wrong, so the code is believed to be good, when it isn't. I will be submitting an alternative way of doing referrals by switching off the php method and doing it with three new functions which I will post on the ldap_set_rebind_proc documentation page once I know it is at least working. I do not have enough skills to work on php source code but would be more than happy to assist a programmer with little or no ldap knowledge if that would help.
 [2013-09-30 11:13 UTC] mike@php.net
-Status: Open +Status: Feedback
 [2013-09-30 11:13 UTC] mike@php.net
What LDAP library do you use? Does it support referrals?
 [2013-09-30 16:18 UTC] marco at forgetaboutit dot net
-Status: Feedback +Status: Open
 [2013-09-30 16:18 UTC] marco at forgetaboutit dot net
Not sure what you mean by "LDAP library". Do you mean the PHP library, which would be the standard one, or the LDAP backend, which would be OpenLDAP. We (the collective "we", not the Royal "we") have got it to work, and it is not at all obvious, and what documentation there is is very misleading. We have documented most/all of it in the comments in the manual on ldap_set_rebind_proc (http://php.net/manual/en/function.ldap-set-rebind-proc.php). That should be a good place for someone to start some proper documentation. Also, I haven't looked at the PHP testing code recently, but I am pretty sure the referral test is bogus, and would always "pass" the test regardless of whether it actually worked or not. I think this may also be true of the underlying code used to code the PHP library
 [2013-09-30 18:00 UTC] mike@php.net
-Type: Bug +Type: Documentation Problem
 [2013-09-30 18:00 UTC] mike@php.net
Yes, thank you anyway for your patience and 
contribution!
 [2017-01-09 16:48 UTC] heiglandreas@php.net
-PHP Version: Irrelevant +PHP Version: 7.1
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Apr 26 02:01:25 2019 UTC