#25827 [Opn->Fbk]: PHP LDAP queries against Active Directory return incomplete arrays

Mon, 13 Oct 2003 08:55:07 -0700 

 ID:               25827
 Updated by:       [EMAIL PROTECTED]
 Reported By:      pennington at rhodes dot edu
-Status:           Open
+Status:           Feedback
 Bug Type:         LDAP related
 Operating System: Windows 2000
 PHP Version:      4.3.3
 New Comment:

Please provide access to this 'active directory' thing.
(If you can't, we can't fix it either)



Previous Comments:
------------------------------------------------------------------------

[2003-10-13 11:50:09] pennington at rhodes dot edu

I added:

var_dump($info[$i][$data][$jj]);

to the output of the test script and got this output for the last two
values of the array for that attribute:

0 1 11 memberof:  CN=Domain Users,CN=Users,DC=rhodes,DC=edu
string(41) "CN=Domain Users,CN=Users,DC=rhodes,DC=edu"
0 1 12 memberof:  
NULL 

Now, I know that there are 13 LDAP values for this attribute
(memberof). I can see this in various LDAP tools pointed to Active
Directory for this user. And, when I do a:

count($info[$i][memberof]);

I get 13, which is correct.

As you can see, the final value has a key value in the array for this
attribute, but no data is returned with that key. Obviously, PHP is not
putting the last value for that attribute in the array but has created
a key value to hold the data.

How is this a problem in the script? Looks like a bug in PHP to me...

------------------------------------------------------------------------

[2003-10-12 22:10:52] [EMAIL PROTECTED]

Some var_dump() here and there will reveal you why your script doesn't
work. Not PHP bug.


------------------------------------------------------------------------

[2003-10-10 15:04:36] pennington at rhodes dot edu

Description:
------------
I am querying an Active Directory server with PHP via LDAP to retrieve
all of a particular user's attributes. All of that user's attributes in
the LDAP directory are placed in a multi-dimensional array that I can
query for a particular attribute I am interested in and return all of
those values from the array by looping through that part of the array,
using the correct key value.

So, in other words, I am using PHP's LDAP to grab all information about
a user in Active Directory and put it into a single, multi-dimensional
array called $info. This array has three levels of keys, such that:

$info[0][description][0]

would equal

Staff

because that is what is set up for the description attribute for a
person in Active Directory. I am then looping through the entire array
looking for values set with certain keys that I am interested in, which
could be holding data in any order.

The problem occurs when I loop through the multi-dimensional array for
attributes that share the second key, such as:

$info[0][memberof]

Because several different memberof attributes can be stored for a
person in Active Directory, the LDAP-built array has values like:

$info[0][memberof][0] = Domain Admin
$info[0][memberof][1] = Finance User
$info[0][memberof][2] = Local Admin

and so on. If I count the number of member attributes that are actually
in the LDAP server, I get a particular value, say 15. When I loop
through these attributes in the array and count them up, I also get
that same number. However, when I try to report back all of these
attributes by printing them out, only 14 appear.

In other words, while the correct number of attributes are put into the
array by PHP using LDAP, one of the keys in the array has no data
associated with it (and should have data associated with it). This
holds true for any LDAP-created array where an LDAP attribute has more
than one value associated with it. All of those values are reported
back to the PHP via LDAP and keys are created in the array for all of
those values, but strangely one (and only one) of the data values will
disappear if a certain attribute has more than one value associated
with it.

Reproduce code:
---------------
Here is the code I'm using to build the troubled array via PHP's LDAP.
Of course, you have to authenticate to our LDAP server to do the test
on a particular user, so I am not able to point to a place on the web
to demonstrate this.

<?php
if ($name_submitted != "" && $passwd_submitted != "") {

        $ldap_host = "ldap://someserver.rhodes.edu";;
        $base_dn = "CN=Users,DC=rhodes, DC=edu";

        if ($search_submitted == "") {
                $search_value = $name_submitted;
        } else {
                $search_value = $search_submitted;
        }

        $filter = "(CN=$search_value)";
        $ldap_user = "CN=$name_submitted, CN=Users, DC=rhodes, DC=edu";
        $ldap_pass = $passwd_submitted;

        $connect = ldap_connect( $ldap_host, $ldap_port)
       or exit("Could not connect to LDAP server");

        // required to search AD, according to note in PHP manual notes
        ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);

        $bind = ldap_bind($connect, $ldap_user, $ldap_pass)
     or exit("Could not bind to $ldap_host");

        echo "Successful bind to $ldap_host with $bind<br><br>\n";

        $read = ldap_search($connect, $base_dn, $filter)
             or exit("Unable to search ldap server");

        $info = ldap_get_entries($connect, $read);
        echo $info["count"]." entries returned for $filter<br><br>\n";

        $ii=0;
        for ($i=0; $ii<$info[$i]["count"]; $ii++){
                $data = $info[$i][$ii];
                if ($data == "memberof") {
                        $total_memberof = (count($info[$i][$data]));
                        echo "Total memberof entries returned: 
$total_memberof<br><br>\n";
                        $total = 0;
                        $total = count($info[$i][$data]);
                        $jj=0;
                        for ($jj=0; $jj<$total; $jj++) {
                                if ($info[$i][$data][$jj] == "CN=STAFF,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu") {
                                        echo "<b>Got Staff Match</b> ";
                                        $user_type = "staff";
                                } elseif (($info[$i][$data][$jj] == 
"CN=FACULTY,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu") && $user_type == "") {
                                        echo "<b>Got Faculty Match</b> ";
                                        $user_type = "faculty";
                                } elseif (($info[$i][$data][$jj] == 
"CN=Students,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu") && $user_type == "") {
                                        echo "<b>Got Students Match</b> ";
                                        $user_type = "student";
                                }
                                echo $i." ".$ii." ".$jj."
".$data.":&nbsp;&nbsp;".$info[$i][$data][$jj]."<br>\n";
                        }
                }

        }

        ldap_unbind($connect);

        echo "<br><br><b>User Type is: ";

        switch ($user_type) {
                case "staff":
                        echo "STAFF";
                        break;
                case "faculty":
                        echo "FACULTY";
                        break;
                case "student":
                        echo "STUDENT";
                        break;
                default:
                        echo "UNKNOWN";
                        break;
        }

        echo "</b><br><br>\n";

        echo "<br><br><a href=\"index.php\">Search again</a><br><br>\n";

} else {

echo "<html><head></head><body>\n";
echo "<form action=\"index.php\" method=\"POST\">\n";
echo "AD User Name: <input type=\"text\"
name=\"name_submitted\"><br>\n";
echo "AD Password: <input type=\"password\"
name=\"passwd_submitted\"><br>\n";
echo "Search User Name: <input type=\"text\"
name=\"search_submitted\"><br>\n";
echo "<input type=\"submit\" value=\"Submit\">\n";
echo "</form>\n";
echo "</body></html>\n";

}
?>

Expected result:
----------------
Total memberof entries returned: 13

0 1 0 memberof:  CN=STAFF_DL,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 1 memberof:  CN=Planning,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 2 memberof:  CN=FACSTAFF,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 3 memberof:  CN=Council,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 4 memberof:  CN=PRESIDENT,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 5 memberof:  CN=FACTBOOK,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 6 memberof:  CN=INFO_SERVICES,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 7 memberof:  CN=CABINET,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 8 memberof:  CN=Senior2006,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 9 memberof:  CN=NT Users,CN=Users,DC=rhodes,DC=edu
0 1 10 memberof:  CN=NTSETUP,CN=Users,DC=rhodes,DC=edu
0 1 11 memberof:  CN=Domain Users,CN=Users,DC=rhodes,DC=edu
0 1 12 memberof:  CN=STAFF,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu

Actual result:
--------------
Total memberof entries returned: 13

0 1 0 memberof:  CN=STAFF_DL,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 1 memberof:  CN=Planning,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 2 memberof:  CN=FACSTAFF,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 3 memberof:  CN=Council,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 4 memberof:  CN=PRESIDENT,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 5 memberof:  CN=FACTBOOK,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 6 memberof:  CN=INFO_SERVICES,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 7 memberof:  CN=CABINET,OU=Security
Groups,OU=Groups,DC=rhodes,DC=edu
0 1 8 memberof:  CN=Senior2006,OU=Distribution
Lists,OU=Groups,DC=rhodes,DC=edu
0 1 9 memberof:  CN=NT Users,CN=Users,DC=rhodes,DC=edu
0 1 10 memberof:  CN=NTSETUP,CN=Users,DC=rhodes,DC=edu
0 1 11 memberof:  CN=Domain Users,CN=Users,DC=rhodes,DC=edu
0 1 12 memberof:  


------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=25827&edit=1

Reply via email to