Edit report at http://bugs.php.net/bug.php?id=47222&edit=1
ID: 47222
Comment by: post at rolandgruber dot de
Reported by: webe4703 at uni-trier dot de
Summary: Ldap error messages are very unprecise
Status: Open
Type: Feature/Change Request
Package: LDAP related
Operating System: Linux (Ubuntu)
PHP Version: 5.2.8
Block user comment: N
Private report: N
New Comment:
Hi,
it would be great if this could be fixed. It is impossible to give e.g.
precise error messages to users if PHP only returns a generic error
message.
One more example:
User wants to change password but ppolicy blocks the change because of
password reuse.
The LDAP server sends 19: constraint violation (Password is in history
of old passwords)
PHP returns: 19: constraint violation
This makes it impossible to provide a useful error message to a user. :(
Previous Comments:
------------------------------------------------------------------------
[2009-01-27 10:16:29] webe4703 at uni-trier dot de
Description:
------------
Hi,
Let's assume, that we are connecting to an MS AD Server.
And the user has set the flag, that he must reset his password.
( Therefore the user isn't permitted to login until he has reset his
password. )
What kind of message do we when the Bind command fails?
Code:
$ds=ldap_connect($host);
if (!ldap_bind($ds, $username, $password)) {
printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
}
The output is the following:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials
Ok, php told us, that the bind failed.
But let's switch to the console, and take a look at the output, that
ldap-search will give us:
Command:
ldapsearch -x -H ldap://der-ad-server.de:389 -D
accountn...@der-ad-server.de -W
Output:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
AcceptSecurityContext error, data 773, v1771
The first line is the same, but ldapsearch shows another line. This line
is very useful, because we can now read out the error code the AD told
us. (773)
An the active directory has several interesting codes:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
531 - not permitted to logon from this computer
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
775 - account locked
As you see a more precise error message (similar to ldapsearch), would
give a php developer much more information on what went wrong and not
just a failed message...
Reproduce code:
---------------
$ds=ldap_connect($host);
if (!ldap_bind($ds, $username, $password)) {
printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
}
VERSUS
ldapsearch -x -H ldap://der-ad-server.de:389 -D
Expected result:
----------------
A more precise error message.
Perhaps something like:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials, additional info: 80090308: LdapErr:
DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771
Actual result:
--------------
A very unprecise error message:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/bug.php?id=47222&edit=1
