ID: 25827 User updated by: pennington at rhodes dot edu Reported By: pennington at rhodes dot edu Status: Bogus Bug Type: LDAP related Operating System: Windows 2000 PHP Version: 4.3.3 New Comment:
Wes, thanks for confirming this bug for me. Yes, it is frustrating. PHP (especially the [EMAIL PROTECTED] person) basically refuse to belive this is a bug, and they say that even if it is, they use the OpenLDAP libraries so they can do nothing about it. I pursued this with the OpenLDAP folks (after verifying that this bug also happens on a variety of platforms running OpenLDAP, including Windows and Linux), and they just ignored me. I'm not sure who else to notify about it or how to get it fixed. We sorta worked around the bug here in the application we were building by looking for a particular attribute in a user's Active Directory record via LDAP, such as Department or Position. We test for a particular value there instead of querying by AD group, which is much better way of doing it. Your note about primary groups being the ones left out of the list is interesting. I'll have to check that out. Thanks. Previous Comments: ------------------------------------------------------------------------ [2004-04-29 15:50:08] whampton at new-albany dot k12 dot oh dot us hey pennington! i am having this exact same problem as well, although i have only started playing with php/ldap support for active directory yesterday. i realize that you have had this open for a very long time and wondered if you have found any other useful information. i am using win2k server and php 4.3.5rc1. i did, however, want to confirm that i am having this problem as well, in reponse to your frusteration "I find it strange that no one has seen this before, because Microsoft's Active Directory is probably the most widely-used commercial LDAP server in the world." apparently not many "microsoft shops" are thinking outside of the box or looking to develop opensource solutions, well...at least not based on active directory. anyway, the problem is plain to see. here's the breakdown for everyone: you count the number of memberships that a user is part of in the "Member Of" tab in the admin program for active directory on your domain controller, and it is one more that php returns with its builtin supprt. one is missing, and it depends per user. it's simple as that. here is one interesting thing though, and that is for every test that i have run, the "memberof value" that is not returned by php is ALWAYS the primary group that the user is set to in active directoy. its the little button you hit at the bottom of the "Member Of" tab. whatever is set there will not be returned in the memberof values of php's ldap support. any thoughts anyone has would be greatly appreciated, or please provide a link to the solution if i have thick-headedly missed it in my extensive searches... thanks, wes ------------------------------------------------------------------------ [2004-04-20 17:50:50] pennington at rhodes dot edu [EMAIL PROTECTED]: I appreciate you posting your note about the unique way in which the "Domain Users" group is handled (I didn't know that at all - very interesting), I think my problem reported with this bug is actually a different issue. Even if I assumed that the number of groups returned by LDAP query is 1 less than the actual total (such as if the Domain Users group wasn't counted), I still can't get a listing of all AD groups. One of the groups, which seems to be selected at random (i.e. it is not always Domain Users) is simply left out. If I change the array loop to purposefully give me more members of the LDAP group array than the person actually has groups, I still don't get all of that person's groups. In other words, the problem isn't limited to the Domain User's group - LDAP through PHP simply does not let me see every one of the person's groups. For some reason (and it is related to the OpenLDAP libraries PHP uses), one of the groups, randomly selected, is always dropped. ------------------------------------------------------------------------ [2004-04-20 07:55:33] info at dbnet dot com dot au Hi, I'm seeing your post 6 months too late, but let me alert you to something that I found after similar grief with AD. It turns out that ONE of the AD group memberships, (in our case 'Domain Users', in your case perhaps one of the others), is handled "differently" in AD. It will be the one listed as the "default" group when you look up a user in any AD admin tool, and incredibly it just doesn't get fed back to you by AD when you ask for the memberOf attribute using any standard LDAP technique. I vaguely remember an MSDN KB article describing an astonishingly complex workaround for victims of this behaviour using ADSI.. sorry I have no link to it now. Our solution was to accept that the so-called "default" group for each user is just not treated properly by AD in its LDAP interface. It's a special case. ------------------------------------------------------------------------ [2003-10-14 19:56:48] [EMAIL PROTECTED] We only wrap around the OpenLDAP libraries. So it's definately not PHP bug -> bogus. You should report this to the openldap folks, they propably already know about it or are very willing to fix it if it's not already fixed. Please let us know what the response is so we can possibly update the used openldap libraries in the win32 binaries build. ------------------------------------------------------------------------ [2003-10-14 14:08:51] pennington at rhodes dot edu OK, you're right, after a few minutes, I found an ldapsearch command that would work: ldapsearch -x -b "CN=_some_user_,CN=Users,DC=rhodes,DC=edu" -D "CN=_search_auth_user_,CN=Users,DC=rhodes,DC=edu" -H ldap://someserver.rhodes.edu -W The "memberof" attribute results look like this: memberOf: CN=STAFF_DL,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu memberOf: CN=Planning,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=FACSTAFF,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=Council,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu memberOf: CN=PRESIDENT,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=FACTBOOK,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=INFO_SERVICES,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=CABINET,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu memberOf: CN=Senior2006,OU=Distribution Lists,OU=Groups,DC=rhodes,DC=edu memberOf: CN=NT Users,CN=Users,DC=rhodes,DC=edu memberOf: CN=NTSETUP,CN=Users,DC=rhodes,DC=edu memberOf: CN=Domain Users,CN=Users,DC=rhodes,DC=edu Again, only 12 results were returned rather than the 13 that exist there in Active Directory. However, I've started doing a count based on attributes found by ldapsearch and Softerra's LDAPBrowser (which I think also uses openldap) and found that people missing an attibute value in ldapsearch were missing the same value in LDAPBrowser. Anyway, I think what we are down to is one of two possibilities: 1) OpenLDAP's search tool is not receiving all attribute values for a particular search; or 2) Active Directory is not supplying the missing value when queried for it using LDAP but does reply properly when Microsoft admin tools are used. I guess we could solve this if someone knows a good, freely-available, non-openldap-based LDAP search utility. Regardless, this doesn't look like a PHP bug per se, thought it could be a OpenLDAP bug that has found its way into PHP with the rest of the OpenLDAP code... ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25827 -- Edit this bug report at http://bugs.php.net/?id=25827&edit=1