ID: 35611 Updated by: [EMAIL PROTECTED] Reported By: bfg at frost dot ath dot cx Status: Feedback Bug Type: LDAP related Operating System: linux PHP Version: 5.1.1 New Comment:
Also, FYI: -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>") (that's from ldapsearch -h output) Previous Comments: ------------------------------------------------------------------------ [2005-12-12 23:27:11] [EMAIL PROTECTED] The authzid is passed with -X option, thus you're not doing the same as you're doing with the script. ------------------------------------------------------------------------ [2005-12-12 09:40:50] bfg at frost dot ath dot cx $ ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN -I Entered SASL auth username: "bfg" The same result with: USER="bfg" ldapsearch -h hostname.example.org -D "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si" -Y PLAIN :) ------------------------------------------------------------------------ [2005-12-11 23:27:58] [EMAIL PROTECTED] Exactly how did you call ldapsearch program to get those results..? ------------------------------------------------------------------------ [2005-12-09 10:30:47] bfg at frost dot ath dot cx Description: ------------ ldap_sasl_bind() sends bind DN as sasl authz id. This is wrong ;) Reproduce code: --------------- <?php $host = "ldap://ldap.example.org"; $dn = "uid=bfg,ou=users,ou=unix,ou=production,dc=noviforum,dc=si"; $pw = "test"; $realm = "PROD.EXAMPLE.ORG"; $mech = "PLAIN"; $authz_id = "bfg"; $props = null; $r = ldap_connect($host); if (! $r) { echo "Unable to connect: \n"; exit(1); } ldap_set_option($r, LDAP_OPT_PROTOCOL_VERSION, 3); echo "Connected, trying to bind...\n"; $b = ldap_sasl_bind($r, $dn, $pw, $mech, $realm, $authz_id, $props); echo "LDAP bind: " . (($b) ? "OK" : "FAILED") . "\n"; ?> Expected result: ---------------- OK ... i've written php patch which i've sent to jani. Actual result: -------------- Dec 8 11:31:34 orion slapd[5404]: conn=113 fd=15 ACCEPT from IP=192.168.2.232:55217 (IP=0.0.0.0:389) LDAP: Dec 8 11:31:12 orion slapd[5404]: conn=112 op=0 BIND dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163 PHP: Dec 8 11:31:34 orion slapd[5404]: conn=113 op=0 BIND dn="uid=bfg,ou=users,ou=unix,ou=production,dc=example,dc=si" method=163 LDAP: Dec 8 11:31:12 orion saslauthd[17532]: rel_accept_lock : released accept lock PHP: Dec 8 11:31:34 orion saslauthd[17533]: rel_accept_lock : released accept lock LDAP: Dec 8 11:31:12 orion saslauthd[17533]: get_accept_lock : acquired accept lock PHP: Dec 8 11:31:34 orion saslauthd[17531]: get_accept_lock : acquired accept lock FAILED Kerberos logs (ldap server authenticates against kerberos) LDAP marked lines are produced when connecting to ldap server with ldapsearch(1), PHP marked lines are produced with php interpreter running script above. LDAP: Dec 8 11:31:12 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 195.250.198.144: NEEDED_PREAUTH: [EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Additional pre-authentication required PHP: Dec 8 11:31:34 orion krb5kdc[5468]: AS_REQ (1 etypes {18}) 195.250.198.144: CLIENT_NOT_FOUND: uid=bfg,ou=users,ou=unix,ou=production,dc=examle,[EMAIL PROTECTED] for krbtgt/[EMAIL PROTECTED], Client not found in Kerberos database ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=35611&edit=1