PHP :: Bug #66724 :: ldap_get_entries does not escape DN values on Active Directory

Bug #66724

ldap_get_entries does not escape DN values on Active Directory

Submitted:

2014-02-16 19:10 UTC

Modified:

2017-01-22 15:22 UTC

Votes:	4
Avg. Score:	3.5 ± 1.7
Reproduced:	3 of 3 (100.0%)
Same Version:	2 (66.7%)
Same OS:	2 (66.7%)

From:

post at rolandgruber dot de

Assigned:

heiglandreas (profile)

Status:

Assigned

Package:

LDAP related

PHP Version:

5.4.25

OS:

Debian Linux

Private report:

CVE-ID:

None

View Developer Edit

[2014-02-16 19:10 UTC] post at rolandgruber dot de

Description:
------------
A search with ldap_search() and then getting the entries with ldap_get_entries() returns different search results on OpenLDAP and ActiveDirectory.

Example DN of a search result entry: cn=foo\, bar,dc=test

Active Directory: cn=foo\, bar,dc=test
OpenLDAP: cn=foo\5C\2C bar,dc=test

So for OpenLDAP special chars in the DN are escaped and for Active Directory they are not.



Expected result:
----------------
The returned DNs should be the same for all LDAP servers.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2014-02-27 06:16 UTC] chrispmaiden at gmail dot com

I was hoping to test this but fell short, I found the OpenLDAP project host a public LDAP server (http://www.openldap.org/faq/data/cache/1360.html) with the clause, "This service is often unavailable for one reason or another." which I found to be the case.

Is anyone aware of alternative public LDAP servers to test against?

Failing that I'll set up instances locally.

Thanks.

[2017-01-10 07:58 UTC] heiglandreas@php.net

-Status: Open +Status: Feedback -Assigned To: +Assigned To: heiglandreas

[2017-01-10 07:58 UTC] heiglandreas@php.net

This issue targets an unsupported version of PHP. Is this still a reproducible issue? And if so, what version of OpenLDAP and ActiveDirectory are involved in the test?

Thanks for your feedback!

[2017-01-11 19:28 UTC] post at rolandgruber dot de

Verified with PHP 7.0.12 against Windows 2012 and OpenLDAP 2.4.40

[2017-01-22 04:22 UTC] php-bugs at lists dot php dot net

No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.

[2017-01-22 08:53 UTC] post at rolandgruber dot de

I verified with PHP 7.0.12 against Windows 2012 and OpenLDAP 2.4.40

[2017-01-22 09:34 UTC] nikic@php.net

-Status: No Feedback +Status: Open

[2017-01-22 15:21 UTC] heiglandreas@php.net

The DN should contain EITHER '\,' OR '\2C' but NOT '\5C\2C'. IMO that means that the value in the CN-Attribute already contains '\,' and not a simple ','. Can you please check that? 

Additionally I checked that against a third LDAP-Server:

$ldap = ldap_connect('ldap://pksldap.tttc.de');
ldap_bind($ldap);
$result = ldap_search($ldap, 'c=DE', 'sn=Jahneke');
$res = ldap_get_entries($ldap, $result);
var_Dump($res[0]['dn']);
//string(101) "cn=Jahneke\2C Ralf- ChristophSER:799945522,ou=T-TeleSec SigG Test CA 15:PN,o=Deutsche Telekom AG,c=de"
var_Dump($res[0]['cn'][0]);
string(37) "Jahneke, Ralf- ChristophSER:799945522"

Could you run that agains your OpenLDAP and ActiveDirectory (with appropriately adapted search-filter)? Thanks!

[2017-01-22 15:22 UTC] heiglandreas@php.net

The DN should contain EITHER '\,' OR '\2C' but NOT '\5C\2C'. IMO that means that the value in the CN-Attribute already contains '\,' and not a simple ','. Can you please check that? 

Additionally I checked that against a third LDAP-Server:

$ldap = ldap_connect('ldap://pksldap.tttc.de');
ldap_bind($ldap);
$result = ldap_search($ldap, 'c=DE', 'sn=Jahneke');
$res = ldap_get_entries($ldap, $result);
var_Dump($res[0]['dn']);
//string(101) "cn=Jahneke\2C Ralf- ChristophSER:799945522,ou=T-TeleSec SigG Test CA 15:PN,o=Deutsche Telekom AG,c=de"
var_Dump($res[0]['cn'][0]);
string(37) "Jahneke, Ralf- ChristophSER:799945522"

Could you run that agains your OpenLDAP and ActiveDirectory (with appropriately adapted search-filter)? Thanks!

[2017-01-27 17:44 UTC] post at rolandgruber dot de

True, on PHP 7 it is "ou=foo\2C bar,ou=test,o=test,c=de" for OpenLDAP.

[2019-10-31 19:36 UTC] post at rolandgruber dot de

This is still an issue. In addition, using the "cn=foo\, bar,dc=test" that comes back in Active Directory case does not work for ldap_read(). Active Directory expects the comma to be escaped as "\2C".

[2019-11-05 14:04 UTC] ckd159 at gmail dot com

I use ADSI Edit and ldapsearch to access AD and LDS.
cn = sn, givenname
dn = CN=sn\, givenname,OU=..,DC=..

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 14:01:29 2024 UTC