php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78676 ldap_search() Can't contact LDAP server if user has larger jpegPhoto attribute
Submitted: 2019-10-16 09:35 UTC Modified: -
Votes:5
Avg. Score:4.0 ± 0.9
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:3 (75.0%)
From: boris at brdaric dot com Assigned:
Status: Open Package: LDAP related
PHP Version: 7.3.10 OS: Debian Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: boris at brdaric dot com
New email:
PHP Version: OS:

 

 [2019-10-16 09:35 UTC] boris at brdaric dot com
Description:
------------
Hello,

we are observing unexpected behaviour with ldap_search() function from PHP-LDAP extension.

We have LDAP server where users can upload photos for their "profile" picture.
That photo ends up in the "jpegPhoto" attribute.
If user has photo that is larger than ~15000 bytes (try with larger, eg. 1Mb photo ), ldap_search() unexpectedly returns "PHP Warning:  ldap_search(): Search: Can't contact LDAP server"

This unexpected behaviour occurs on
PHP 7.3.9  (Debian 10 Buster - PHP 7.3.9-1~deb10u1 (cli) (built: Sep 18 2019 10:33:23) ( NTS ))
PHP 7.3.10 (Debian 10 Buster - PHP 7.3.10-1+0~20191008.45+debian10~1.gbp365209 (cli) (built: Oct  8 2019 05:49:09) ( NTS ))

but NOT on
PHP 7.0.33 (Debian 9 Stretch - PHP 7.0.33-0+deb9u5 (cli) (built: Sep 18 2019 09:55:34) ( NTS ))
PHP 5.6.40 (Debian 8 Jessie - PHP 5.6.40-0+deb8u6 (cli) (built: Sep 15 2019 11:18:30))

--

`ldapsearch` command from ldap-utils Debian package works as expected on all machines, printing all data to console
ldapsearch -x -LLL -h ldap.example.org -b"dc=example,dc=org" -s sub "(uid=USERNAME)" // replace USERNAME with actual username

-- 

Test script is a slightly modified basic LDAP example from https://www.php.net/manual/en/ldap.examples-basic.php


Test script:
---------------
usage `php ldap-test.php [USERNAME]` // fill USERNAME with actual username


File name `ldap-test.php`
<?php

echo "LDAP query test\n";
echo "Connecting ...\n";

$ldap_server='ldaps://ldap.example.org'; // fill in actual data
$ldap_server_port='636'; // fill in actual data

$ds=ldap_connect($ldap_server, $ldap_server_port);  // must be a valid LDAP server!
echo "connect result is " . $ds . "\n";

if ($ds) {
    echo "Binding ...\n";
    $r=ldap_bind($ds);     // this is an "anonymous" bind, typically read-only access
    echo "Bind result is " . $r . "\n";

    echo "Searching...".$_SERVER['argv'][1]."\n";
    /* Search surname entry */
    $sr=ldap_search($ds, "dc=example, dc=org", "uid=".$_SERVER['argv'][1]); // fill in actual dc
    
    echo "Result:\n";
    var_dump($sr);

    if($sr){
        echo "Data:\n";
        $entries = ldap_get_entries($ds, $sr);
        var_dump($entries);
    }else {
        echo "No results\n";
    }

    echo "Closing connection\n";
    ldap_close($ds);

} else {
    echo "Unable to connect to LDAP server\n";
}

Expected result:
----------------
$ php ldap-test.php bbrdaric1
LDAP query test
Connecting ...
connect result is Resource id #4
Binding ...
Bind result is 1
Searching...bbrdaric1
Result:
resource(5) of type (ldap result)
Data:
array(2) {
  ["count"]=>
  int(1)
  [0]=>
  array(38) {
      /* omitted for simplicity and privacy */
  }
}
Closing connection

## User WITH jpegPhoto with 14995 bytes of data

$ php ldap-test.php bbrdaric2  
LDAP query test
Connecting ...
connect result is Resource id #4
Binding ...
Bind result is 1
Searching...bbrdaric2
Result:
resource(5) of type (ldap result)
Data:
array(2) {
  ["count"]=>
  int(1)
  [0]=>
  array(50) {
    /* omitted for simplicity and privacy */
    ["jpegphoto"]=>
    array(2) {
      ["count"]=>
      int(1)
      [0]=>
      string(14995) "/* trimmed */"
    }
  }
}
Closing connection

Actual result:
--------------
## User WITH jpegPhoto with ~2MB data (that PHP Warning is unexpected)

$ php ldap-test.php bbrdaric3
LDAP query test
Connecting ...
connect result is Resource id #4
Binding ...
Bind result is 1
Searching...bbrdaric3
PHP Warning:  ldap_search(): Search: Can't contact LDAP server in /home/bbrdaric/ldap-test.php on line 20
Result:
bool(false)
No results
Closing connection

Patches

Add a Patch

Pull Requests

Add a Pull Request

 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 20:01:28 2024 UTC