php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66724 ldap_get_entries does not escape DN values on Active Directory
Submitted: 2014-02-16 19:10 UTC Modified: 2017-01-22 15:22 UTC
Votes:4
Avg. Score:3.5 ± 1.7
Reproduced:3 of 3 (100.0%)
Same Version:2 (66.7%)
Same OS:2 (66.7%)
From: post at rolandgruber dot de Assigned: heiglandreas (profile)
Status: Assigned Package: LDAP related
PHP Version: 5.4.25 OS: Debian Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2014-02-16 19:10 UTC] post at rolandgruber dot de
Description:
------------
A search with ldap_search() and then getting the entries with ldap_get_entries() returns different search results on OpenLDAP and ActiveDirectory.

Example DN of a search result entry: cn=foo\, bar,dc=test

Active Directory: cn=foo\, bar,dc=test
OpenLDAP: cn=foo\5C\2C bar,dc=test

So for OpenLDAP special chars in the DN are escaped and for Active Directory they are not.



Expected result:
----------------
The returned DNs should be the same for all LDAP servers.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-02-27 06:16 UTC] chrispmaiden at gmail dot com
I was hoping to test this but fell short, I found the OpenLDAP project host a public LDAP server (http://www.openldap.org/faq/data/cache/1360.html) with the clause, "This service is often unavailable for one reason or another." which I found to be the case.

Is anyone aware of alternative public LDAP servers to test against?

Failing that I'll set up instances locally.

Thanks.
 [2017-01-10 07:58 UTC] heiglandreas@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: heiglandreas
 [2017-01-10 07:58 UTC] heiglandreas@php.net
This issue targets an unsupported version of PHP. Is this still a reproducible issue? And if so, what version of OpenLDAP and ActiveDirectory are involved in the test?

Thanks for your feedback!
 [2017-01-11 19:28 UTC] post at rolandgruber dot de
Verified with PHP 7.0.12 against Windows 2012 and OpenLDAP 2.4.40
 [2017-01-22 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2017-01-22 08:53 UTC] post at rolandgruber dot de
I verified with PHP 7.0.12 against Windows 2012 and OpenLDAP 2.4.40
 [2017-01-22 09:34 UTC] nikic@php.net
-Status: No Feedback +Status: Open
 [2017-01-22 15:21 UTC] heiglandreas@php.net
The DN should contain EITHER '\,' OR '\2C' but NOT '\5C\2C'. IMO that means that the value in the CN-Attribute already contains '\,' and not a simple ','. Can you please check that? 

Additionally I checked that against a third LDAP-Server:

$ldap = ldap_connect('ldap://pksldap.tttc.de');
ldap_bind($ldap);
$result = ldap_search($ldap, 'c=DE', 'sn=Jahneke');
$res = ldap_get_entries($ldap, $result);
var_Dump($res[0]['dn']);
//string(101) "cn=Jahneke\2C Ralf- ChristophSER:799945522,ou=T-TeleSec SigG Test CA 15:PN,o=Deutsche Telekom AG,c=de"
var_Dump($res[0]['cn'][0]);
string(37) "Jahneke, Ralf- ChristophSER:799945522"

Could you run that agains your OpenLDAP and ActiveDirectory (with appropriately adapted search-filter)? Thanks!
 [2017-01-22 15:22 UTC] heiglandreas@php.net
The DN should contain EITHER '\,' OR '\2C' but NOT '\5C\2C'. IMO that means that the value in the CN-Attribute already contains '\,' and not a simple ','. Can you please check that? 

Additionally I checked that against a third LDAP-Server:

$ldap = ldap_connect('ldap://pksldap.tttc.de');
ldap_bind($ldap);
$result = ldap_search($ldap, 'c=DE', 'sn=Jahneke');
$res = ldap_get_entries($ldap, $result);
var_Dump($res[0]['dn']);
//string(101) "cn=Jahneke\2C Ralf- ChristophSER:799945522,ou=T-TeleSec SigG Test CA 15:PN,o=Deutsche Telekom AG,c=de"
var_Dump($res[0]['cn'][0]);
string(37) "Jahneke, Ralf- ChristophSER:799945522"

Could you run that agains your OpenLDAP and ActiveDirectory (with appropriately adapted search-filter)? Thanks!
 [2017-01-27 17:44 UTC] post at rolandgruber dot de
True, on PHP 7 it is "ou=foo\2C bar,ou=test,o=test,c=de" for OpenLDAP.
 [2019-10-31 19:36 UTC] post at rolandgruber dot de
This is still an issue. In addition, using the "cn=foo\, bar,dc=test" that comes back in Active Directory case does not work for ldap_read(). Active Directory expects the comma to be escaped as "\2C".
 [2019-11-05 14:04 UTC] ckd159 at gmail dot com
I use ADSI Edit and ldapsearch to access AD and LDS.
cn = sn, givenname
dn = CN=sn\, givenname,OU=..,DC=..
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC