php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54104 ldap_sasl_bind fails but not the first time
Submitted: 2011-02-26 13:20 UTC Modified: 2015-06-10 10:59 UTC
Votes:3
Avg. Score:4.7 ± 0.5
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:2 (66.7%)
From: mmx at riz dot pl Assigned:
Status: Not a bug Package: LDAP related
PHP Version: 5.2.17 OS: linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2011-02-26 13:20 UTC] mmx at riz dot pl 
Description:
------------
When using ldap_sasl_bind to bind to active directory the connection is successful only the first time. When executing the script a second time shortly after the first execution the bind fails. After around 2 minutes the bind is again possible.
I suspect that it ma be related to digest md5 fast reauth.

The sample code when executed via web server http://my_apache_server/ldap.php it binds succesfully the first time. hitting F5 in the browser:

Warning:  ldap_sasl_bind() [function.ldap-sasl-bind]: Unable to bind to server: Invalid credentials 

After 2 minutes it works again for the first time.

This problem never happens when I execude the script via command line:
php -q ./ldap.php
any number of times in a row.

on tcpdump I see that the nonce-count is inceasing. the first failure has nc=00000002.

after waiting 2 minutes I see that nc starts back from 1.

when starting php -q ./ldap.php the nc has always the nc=00000001.

My conclusion is that there is some kind of cache/fast reauth/session when php generates the error when working as a part of httpd.

After ivestigating netstat I noticed that the second bind fails until I see on netstat the connection in the TIME_WAIR state:
netstat -anpe|grep 389
tcp        0      0 client:42457        ad_server:389          TIME_WAIT   0          0           -
when the connection finally dissapears the first sasl bind is successful.
Of course when I hit F5 many time I have many connections with TIME_WAIT state. After all of them dissapear the bind is successfull only for the first time.


Test script:
---------------
$conn = @ldap_connect( "ad_server" ));
ldap_set_option ( $conn, LDAP_OPT_PROTOCOL_VERSION, 3));
ldap_sasl_bind ( $conn, NULL, "password",'DIGEST-MD5','my_realm','ldap_username',NULL);




Expected result:
----------------
successful sasl bind without the need to wait 2 minutes.

Actual result:
--------------
when the code is executed the second time 

Warning:  ldap_sasl_bind() [function.ldap-sasl-bind]: Unable to bind to server: Invalid credentials

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-03-02 21:18 UTC] thihfernandes at gmail dot com 
With me it's happening the same thing!

My PHP version is 5.3.3-7.
 [2012-04-20 16:06 UTC] bmearns at ieee dot org 
I'm having the same problem on Windows using PHP 5.3.6, except I haven't noticed that it ever remedies itself after a particular timeout. Instead I have to restart my web server (Apache) to be able to bind again.

I captured the traffic with wire shark, both for a successful bind and an unsuccessful bind. I'm only slightly familiar with LDAP and SASL, but as far as I can tell both bind requests are valid. The only thing I noticed is that after a server restart, PHP always does an "initial authentication" and it's always successful, whereas subsequent attempts to run the script without a restart attempts a "subsequent authentication" which always fails (quoted terms as defined in RFC2831, sections 2.1 and 2.2, respectively).

I wonder if the problem is simply that the LDAP server is not accepting subsequent authentication, and wants PHP to do a full-fledged initial authentication procedure every time. If this is a possibility, it seems like the implementation in PHP could try subsequent auth, and then fall back on "initial auth" if that fails. Or, at the very least, there should be a function or an optional function argument for ldap_sasl_bind to force it to use the "initial auth" procedure.
 [2015-06-10 10:59 UTC] mcmic@php.net
-Status: Open +Status: Not a bug
 [2015-06-10 10:59 UTC] mcmic@php.net 
Thank you for taking the time to report a problem with PHP.
Unfortunately you are not using a current version of PHP -- 
the problem might already be fixed. Please download a new
PHP version from http://www.php.net/downloads.php

If you are able to reproduce the bug with one of the latest
versions of PHP, please change the PHP version on this bug report
to the version you tested and change the status back to "Open".
Again, thank you for your continued support of PHP.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 07:01:27 2024 UTC