Description:
------------
I'm using PHP 7.3.3-1+ubuntu18.04.1+deb.sury.org+1 (cli) (built: Mar  7 2019 20:31:49) ( NTS )

See the sample script below. If I replace the attributes argument in ldap_search() call with ["*"] I get the expected result.

So, it looks like the attributes argument limits the attributes considered by the effective rights control. This is unexpected. I expected to limit only result attributes of the ldap entry, but not for the server control. Is there a way to set attributes=* for the control and keep attributes=['entryLevelRights', 'attributeLevelRights'] for the search result?

This might be a bug or feature request. Or maybe I don't understand ldap and effective rights control internals and this is impossible.

Test script:
---------------
$dn = 'ou=Groups,dc=example,dc=org';
$bind_dn = 'cn=Directory Manager';
$conn = ldap_connect('ldap://192.168.56.101:389');
ldap_set_option($conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind($conn, $bind_dn, 'password');

$result = ldap_search($conn, $dn, '(objectclass=*)',
    ['entryLevelRights', 'attributeLevelRights'],
    0, -1, -1, LDAP_DEREF_NEVER, [
        ['oid' => "1.3.6.1.4.1.42.2.27.9.5.2", 'value' => "dn:$bind_dn"]
    ]);

$entry = ldap_get_attributes($conn, ldap_first_entry($conn, $result));

echo $entry['attributeLevelRights'][0];

Expected result:
----------------
Something like:

objectClass:rscwo, aci:rscwo, ou:rscwo, businessCategory:rscwo, description:rscwo, destinationIndicator:rscwo, facsimileTelephoneNumber:rscwo, internationalISDNNumber:rscwo, l:rscwo, physicalDeliveryOfficeName:rscwo, postalAddress:rscwo, postalCode:rscwo, postOfficeBox:rscwo, preferredDeliveryMethod:rscwo, registeredAddress:rscwo, searchGuide:rscwo, seeAlso:rscwo, st:rscwo, street:rscwo, telephoneNumber:rscwo, teletexTerminalIdentifier:rscwo, telexNumber:rscwo, userPassword:rscwo, x121Address:rscwo

Actual result:
--------------
entrylevelrights:none, attributelevelrights:none