Edit report at http://bugs.php.net/bug.php?id=41953&edit=1
ID: 41953
Comment by: kidtangerine at gmail dot com
Reported by: ahoyt at kpcommunications dot com
Summary: ldap_add handles the comma, even with two
backslashes (\\,)
Status: Bogus
Type: Bug
Package: LDAP related
Operating System: Mac OS X, Windows 2003 Server
PHP Version: 5.2.3
Block user comment: N
Private report: N
New Comment:
This is not a bug in Microsoft but in Adldap.php class.
adldap assumes the displayName, and cn will be the same as the first
part of the
DN. This is usually true unless you have a comma in the DN. Active
Directory
ldap wants in to be escaped in the DN but not the displayName or cn
attributes.
I repaired the issue in the adLDAP.php file on line 1311 by adding the
escape
char \ only on the DN.
$result=ldap_add($this->_conn, "CN=". str_replace(",", "\,",
$add["cn"][0]).",
".$container.",".$this->_base_dn, $add);
if ($result!=true){ return (false); }
When pushing over the attributes I add the comma for the display and cn
name,
and add the escape char for the DN name.
'display_name'=>$last . ", " . $first....
Previous Comments:
------------------------------------------------------------------------
[2007-07-12 02:18:59] ahoyt at kpcommunications dot com
There appears to be a problem with the Windows 2003 AD implementation
that goes back to legacy implementations. It's not PHP's bug, it's a
problem with win2003 AD. Installed a new version of php 6 with the
newest openldap, all compliled from the most recent sources.
Seems the folks at Redmond missed something...
------------------------------------------------------------------------
[2007-07-10 21:50:09] [email protected]
Whatever is passed as DN is passed directly to the underlying LDAP
library's function. In other words: It's not PHP bug.
------------------------------------------------------------------------
[2007-07-10 19:27:30] ahoyt at kpcommunications dot com
Description:
------------
ldap_add fails when creating a new user in Active Directory with the
following circumstances:
1. The DN contains a comma such as: "CN=Last,
First,CN=Users,DC=example,DC=com"
2. This bug is reproducible on Mac OS X and Windows 2003 Server (Have
not tried other OS's).
3. unknown whether the problem is with php_ldap module or with zend
engine.
Sourcecode for AD user creation from http://adldap.sourceforge.net.
Class modified to make entry as straightforward as possible. See
example.php user_create() and change the dn in adLDAP.php to a preset
string.
Reproduce code:
---------------
//ldap connect -> $_conn (returns a valid link resource)
ldap_set_option($_conn, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($_conn, LDAP_OPT_REFERRALS, 0);
//ldaps bind (ldap binds with ssl)
$dn = "CN=Last\\, First,CN=Users,DC=example,DC=com"; //escape twice for
a single backslash in ldap
echo $dn;
echo "<br>";
$attributes["samaccountname"][0] = "flast";
$attributes["anyattribute"][0] = "anything";
ldap_add($_conn,$dn,$attributes);
//Error
Expected result:
----------------
ldap_add returns true, new user created at CN=Last\,
First,CN=Users,DC=example,DC=com
Note: This happens with Active Directory on Windows 2003 Server, as well
as many open directory implementations. The comma character is not
defined in RFC 2255, PHP or SSL does not deal with it correctly.
php class located at:
http://adldap.sourceforge.net
Actual result:
--------------
Program returns the following:
----------------------------------------------------------------------
CN=Last\, First,CN=Users,DC=example,DC=com
Warning: ldap_add() [function.ldap-add]: Add: Invalid DN syntax in /
PHP/classes/class.adLDAP.php on line 689
----------------------------------------------------------------------
Notes:
The dn syntax is completely valid, no reason why this should not work.
line 689 is not the actual location of ldap_add in the original adldap
class:
(http://adldap.sourceforge.net),
but it is near that line. In the class, it is preceeded by an @. I
removed the @ to see the error messages.
Notes: the phpLDAPadmin project has a similar problem but when
exporting to LDIF format, the DN comes out like this:
CN=Last\2C First,CN=Users,DC=example,DC=com
under and Open Directory Server.
Other notes:
This bug also seems to appear in the PEAR package for LDAP. I have
tried DN entries with commas ",", backslash commas, "\,", etc. and
none of it works.
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=41953&edit=1
