Edit report at http://bugs.php.net/bug.php?id=41953&edit=1
ID: 41953 Comment by: kidtangerine at gmail dot com Reported by: ahoyt at kpcommunications dot com Summary: ldap_add handles the comma, even with two backslashes (\\,) Status: Bogus Type: Bug Package: LDAP related Operating System: Mac OS X, Windows 2003 Server PHP Version: 5.2.3 Block user comment: N Private report: N New Comment: This is not a bug in Microsoft but in Adldap.php class. adldap assumes the displayName, and cn will be the same as the first part of the DN. This is usually true unless you have a comma in the DN. Active Directory ldap wants in to be escaped in the DN but not the displayName or cn attributes. I repaired the issue in the adLDAP.php file on line 1311 by adding the escape char \ only on the DN. $result=ldap_add($this->_conn, "CN=". str_replace(",", "\,", $add["cn"][0]).", ".$container.",".$this->_base_dn, $add); if ($result!=true){ return (false); } When pushing over the attributes I add the comma for the display and cn name, and add the escape char for the DN name. 'display_name'=>$last . ", " . $first.... Previous Comments: ------------------------------------------------------------------------ [2007-07-12 02:18:59] ahoyt at kpcommunications dot com There appears to be a problem with the Windows 2003 AD implementation that goes back to legacy implementations. It's not PHP's bug, it's a problem with win2003 AD. Installed a new version of php 6 with the newest openldap, all compliled from the most recent sources. Seems the folks at Redmond missed something... ------------------------------------------------------------------------ [2007-07-10 21:50:09] sni...@php.net Whatever is passed as DN is passed directly to the underlying LDAP library's function. In other words: It's not PHP bug. ------------------------------------------------------------------------ [2007-07-10 19:27:30] ahoyt at kpcommunications dot com Description: ------------ ldap_add fails when creating a new user in Active Directory with the following circumstances: 1. The DN contains a comma such as: "CN=Last, First,CN=Users,DC=example,DC=com" 2. This bug is reproducible on Mac OS X and Windows 2003 Server (Have not tried other OS's). 3. unknown whether the problem is with php_ldap module or with zend engine. Sourcecode for AD user creation from http://adldap.sourceforge.net. Class modified to make entry as straightforward as possible. See example.php user_create() and change the dn in adLDAP.php to a preset string. Reproduce code: --------------- //ldap connect -> $_conn (returns a valid link resource) ldap_set_option($_conn, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($_conn, LDAP_OPT_REFERRALS, 0); //ldaps bind (ldap binds with ssl) $dn = "CN=Last\\, First,CN=Users,DC=example,DC=com"; //escape twice for a single backslash in ldap echo $dn; echo "<br>"; $attributes["samaccountname"][0] = "flast"; $attributes["anyattribute"][0] = "anything"; ldap_add($_conn,$dn,$attributes); //Error Expected result: ---------------- ldap_add returns true, new user created at CN=Last\, First,CN=Users,DC=example,DC=com Note: This happens with Active Directory on Windows 2003 Server, as well as many open directory implementations. The comma character is not defined in RFC 2255, PHP or SSL does not deal with it correctly. php class located at: http://adldap.sourceforge.net Actual result: -------------- Program returns the following: ---------------------------------------------------------------------- CN=Last\, First,CN=Users,DC=example,DC=com Warning: ldap_add() [function.ldap-add]: Add: Invalid DN syntax in / PHP/classes/class.adLDAP.php on line 689 ---------------------------------------------------------------------- Notes: The dn syntax is completely valid, no reason why this should not work. line 689 is not the actual location of ldap_add in the original adldap class: (http://adldap.sourceforge.net), but it is near that line. In the class, it is preceeded by an @. I removed the @ to see the error messages. Notes: the phpLDAPadmin project has a similar problem but when exporting to LDIF format, the DN comes out like this: CN=Last\2C First,CN=Users,DC=example,DC=com under and Open Directory Server. Other notes: This bug also seems to appear in the PEAR package for LDAP. I have tried DN entries with commas ",", backslash commas, "\,", etc. and none of it works. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/bug.php?id=41953&edit=1