ID: 25827 Comment by: NoEmail at noDom dot com Reported By: pennington at rhodes dot edu Status: Bogus Bug Type: LDAP related Operating System: Windows 2000 PHP Version: 4.3.3 New Comment:
See http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=uGurWNlJBHA.1720%40tkmsftngp07&rnum=4 The key phrase in the posted link is: "do an additional LDAP search for all users who have the attribute primaryGroupID equal to the groups attribute primaryGroupToken". I've done similar to this, but with one query for all groups' distinguishedName and primaryGroupToken and another query for all users' distinguishedName and primaryGroupID. Then matched and sorted in code -- this is much faster than taking the overhead of multiple ldapsearch queries. Previous Comments: ------------------------------------------------------------------------ [2004-04-30 16:20:11] pennington at rhodes dot edu Wes, I think you have really hit on the source of the problem here, and it is actually based with how Microsoft Active Directory reports/stores group information and what most people would expect when they query for that information. The document you linked to covers this issue well: http://support.microsoft.com/default.aspx?scid=kb;en-us;275523 I did some testing and, sure enough, Active Directory does not report back the user's primary group as a part of the memberof attribute. Rather, the primary group is reported as the group ID number in the PrimaryGroupID attribute. I think that most people expect to get all of a user's groups in the memberof attribute, even the one set to primary group, but this is not the way Active Directory is configured. (The link above is truly a perfect example of dodging a bug and calling it a feature.) Now that we know this, we can simply look up the PrimaryGroupID number and try to determine what that group is and then add that to the conditional statement looking for a match to the group we are using to protect access. However, we have yet to find a method to look up an Active Directory group name using the group's ID number via LDAP. For example, if we query for PrimaryGroupID via LDAP for a user in AD, we get this response: primarygroupid: 1448 The issue is how do we turn the 1448 number into the actual name of the group, which is returned by the memberof attribute like this: CN=STAFF,OU=Security Groups,OU=Groups,DC=rhodes,DC=edu Anyone have any ideas? ------------------------------------------------------------------------ [2004-04-29 16:53:15] whampton at new-albany dot k12 dot oh dot us hey pennington, thanks for the quick response! anyway, i have been searching around some more information, but due to my relative inexperience in this area (admittedly) some of this stuff is way over my head. it seems that at least this first article from our buddies at microsoft indicated this is a known issue/feature... http://support.microsoft.com/default.aspx?scid=kb;en-us;275523 this second article kinda addresses it too, but it is pretty confusing to me. it mentions the possibility of doing something with the primarygroupid instead. http://support.microsoft.com/default.aspx?scid=kb;en-us;321360 anyway it seems that this problem exists in microsoft's active directory, although i have no idea if it is exclusive to AD or not, but AD is the current "solution" we are using for LDAP here. the solutions and workarounds seem to be far beyond my skill level and patience, and since i am just trying to learn, and not necessarily NEEDING this solution, i really probably should move on i guess, but i leave this area darn frusterated. maybe this is a combo AD/PHP bug, or maybe PHP is just handing the AD bug...errrr feature, as best it can. i know i'm not much help here, but sometimes that affirmation in knowing you are not the only one on earth having the problem helps bring some closure... good luck! let me know if you need me to help test anything. wes ------------------------------------------------------------------------ [2004-04-29 16:26:41] pennington at rhodes dot edu Wes, thanks for confirming this bug for me. Yes, it is frustrating. PHP (especially the [EMAIL PROTECTED] person) basically refuse to belive this is a bug, and they say that even if it is, they use the OpenLDAP libraries so they can do nothing about it. I pursued this with the OpenLDAP folks (after verifying that this bug also happens on a variety of platforms running OpenLDAP, including Windows and Linux), and they just ignored me. I'm not sure who else to notify about it or how to get it fixed. We sorta worked around the bug here in the application we were building by looking for a particular attribute in a user's Active Directory record via LDAP, such as Department or Position. We test for a particular value there instead of querying by AD group, which is much better way of doing it. Your note about primary groups being the ones left out of the list is interesting. I'll have to check that out. Thanks. ------------------------------------------------------------------------ [2004-04-29 15:50:08] whampton at new-albany dot k12 dot oh dot us hey pennington! i am having this exact same problem as well, although i have only started playing with php/ldap support for active directory yesterday. i realize that you have had this open for a very long time and wondered if you have found any other useful information. i am using win2k server and php 4.3.5rc1. i did, however, want to confirm that i am having this problem as well, in reponse to your frusteration "I find it strange that no one has seen this before, because Microsoft's Active Directory is probably the most widely-used commercial LDAP server in the world." apparently not many "microsoft shops" are thinking outside of the box or looking to develop opensource solutions, well...at least not based on active directory. anyway, the problem is plain to see. here's the breakdown for everyone: you count the number of memberships that a user is part of in the "Member Of" tab in the admin program for active directory on your domain controller, and it is one more that php returns with its builtin supprt. one is missing, and it depends per user. it's simple as that. here is one interesting thing though, and that is for every test that i have run, the "memberof value" that is not returned by php is ALWAYS the primary group that the user is set to in active directoy. its the little button you hit at the bottom of the "Member Of" tab. whatever is set there will not be returned in the memberof values of php's ldap support. any thoughts anyone has would be greatly appreciated, or please provide a link to the solution if i have thick-headedly missed it in my extensive searches... thanks, wes ------------------------------------------------------------------------ [2004-04-20 17:50:50] pennington at rhodes dot edu [EMAIL PROTECTED]: I appreciate you posting your note about the unique way in which the "Domain Users" group is handled (I didn't know that at all - very interesting), I think my problem reported with this bug is actually a different issue. Even if I assumed that the number of groups returned by LDAP query is 1 less than the actual total (such as if the Domain Users group wasn't counted), I still can't get a listing of all AD groups. One of the groups, which seems to be selected at random (i.e. it is not always Domain Users) is simply left out. If I change the array loop to purposefully give me more members of the LDAP group array than the person actually has groups, I still don't get all of that person's groups. In other words, the problem isn't limited to the Domain User's group - LDAP through PHP simply does not let me see every one of the person's groups. For some reason (and it is related to the OpenLDAP libraries PHP uses), one of the groups, randomly selected, is always dropped. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/25827 -- Edit this bug report at http://bugs.php.net/?id=25827&edit=1