Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.1.0

Bug #16390 rootDse connection problem
Submitted: 2009-06-30 06:22 UTC Modified: 2009-07-03 07:11 UTC
From: er88 Assigned: beni
Status: Closed Package: Net_LDAP2 (version 2.0.2)
PHP Version: 5.2.5 OS: Ubuntu/9.04
Roadmaps: 2.1.0    
Subscription  


 [2009-06-30 06:22 UTC] er88 (Sean Lavine)
Description: ------------ Net_LDAP2::connect() fails in this code, it works when using Net_LDAP, but not Net_LDAP2. The problem seems to be when the call is made to RootDSE::fetch(), the call to search() on line 77 is failing. I can see the values in the $attributes array if I look it up using phpLDAPadmin, except for the altServer attribute, and I tried commenting that out. I'm using PHP/5.2.6 on Ubuntu/9.04 supportedLDAPVersion:2,3 vendorName: Sun Microsystems, Inc. vendorVersion: Sun-ONE-Directory/5.2_Patch_2 Test script: --------------- <?php require_once 'Net/LDAP2.php'; $config = array( 'host' => 'dir.example.com', 'basedn' => 'ou=people,o=example.com,dc=example,dc=com', 'binddn' => 'id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com', 'bindpw' => 'secret' ); if (ldap_connect($config['host']) !== false) { echo "ldap_connect() success\n"; } else { echo "ldap_connect() failed\n"; } $ldap = Net_LDAP2::connect($config); if (PEAR::isError($ldap)) { echo "connection failed\n"; print_r($ldap); } else { echo "connection successful\n"; } ?> Expected result: ---------------- ldap_connect() success connection successful Actual result: -------------- ldap_connect() success connection failed

Comments

 [2009-07-01 14:38 UTC] beni (Benedikt Hallinger)
-Assigned To: +Assigned To: beni -Roadmap Versions: +Roadmap Versions: 2.1.0
Hello and thank you for reporting this issue. Could you please provide the error message returned back from Net_LDAP2::connect()? Please add "print $ldap->getMessage();" after the print_r($ldap) call and post the results here. I cant reproduce that bug here, so it may be a specific problem with your LDAP server. Net_LDAP2::connect() does some additional smart things (binding, schema stuff, etc) that may fail, ldap_connect() just connects.
 [2009-07-02 00:21 UTC] er88 (Sean Lavine)
ldap_connect() success connection failed: LDAP_INSUFFICIENT_ACCESS Parameters: Base: Filter: (objectClass=*) Scope: base: LDAP_INSUFFICIENT_ACCESS Net_LDAP2_Error Object ( [error_message_prefix] => [mode] => 1 [level] => 1024 [code] => 50 [message] => LDAP_INSUFFICIENT_ACCESS Parameters: Base: Filter: (objectClass=*) Scope: base: LDAP_INSUFFICIENT_ACCESS [userinfo] => [backtrace] => Array ( [0] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 1733 [function] => PEAR_Error [class] => PEAR_Error [type] => -> [args] => Array ( [0] => LDAP_INSUFFICIENT_ACCESS Parameters: Base: Filter: (objectClass=*) Scope: base: LDAP_INSUFFICIENT_ACCESS [1] => 50 [2] => 1 [3] => 1024 [4] => ) ) [1] => Array ( [file] => /usr/share/php/PEAR.php [line] => 566 [function] => __construct [class] => Net_LDAP2_Error [object] => Net_LDAP2_Error Object *RECURSION* [type] => -> [args] => Array ( [0] => LDAP_INSUFFICIENT_ACCESS Parameters: Base: Filter: (objectClass=*) Scope: base [1] => 50 [2] => 1 [3] => 1024 [4] => ) ) [2] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 1043 [function] => raiseError [class] => PEAR [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( [0] => LDAP_INSUFFICIENT_ACCESS Parameters: Base: Filter: (objectClass=*) Scope: base [1] => 50 ) ) [3] => Array ( [file] => /usr/share/php/Net/LDAP2/RootDSE.php [line] => 77 [function] => search [class] => Net_LDAP2 [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( [0] => [1] => (objectClass=*) [2] => Array ( [attributes] => Array ( [0] => vendorName [1] => vendorVersion [2] => namingContexts [3] => altServer [4] => supportedExtension [5] => supportedControl [6] => supportedSASLMechanisms [7] => supportedLDAPVersion [8] => subschemaSubentry ) [scope] => base ) ) ) [4] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 1446 [function] => fetch [class] => Net_LDAP2_RootDSE [type] => :: [args] => Array ( [0] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [1] => ) ) [5] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 1155 [function] => rootDse [class] => Net_LDAP2 [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( ) ) [6] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 446 [function] => setLDAPVersion [class] => Net_LDAP2 [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( ) ) [7] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 339 [function] => performConnect [class] => Net_LDAP2 [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( ) ) [8] => Array ( [file] => /usr/share/php/Net/LDAP2.php [line] => 207 [function] => bind [class] => Net_LDAP2 [object] => Net_LDAP2 Object ( [_config:protected] => Array ( [host] => dir.example.com [port] => 389 [version] => 3 [starttls] => [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret [basedn] => ou=people,o=example.com,dc=example,dc=com [options] => Array ( ) [filter] => (objectClass=*) [scope] => sub [auto_reconnect] => [min_backoff] => 1 [current_backoff] => 1 [max_backoff] => 32 ) [_host_list:protected] => Array ( [0] => dir.example.com ) [_down_host_list:protected] => Array ( [0] => dir.example.com ) [_link:protected] => [_schema:protected] => [_schema_cache:protected] => [_schemaAttrs:protected] => Array ( ) [_rootDSE_cache:protected] => Array ( ) [_debug] => [_default_error_mode] => [_default_error_options] => [_default_error_handler] => [_error_class] => Net_LDAP2_Error [_expected_errors] => Array ( ) ) [type] => -> [args] => Array ( ) ) [9] => Array ( [file] => [REMOVED]/auth_test.php [line] => 17 [function] => connect [class] => Net_LDAP2 [type] => :: [args] => Array ( [0] => Array ( [host] => dir.example.com [basedn] => ou=people,o=example.com,dc=example,dc=com [binddn] => id=ExampleUID,ou=awesome,ou=people,o=example.com,dc=example,dc=com [bindpw] => secret ) ) ) ) [callback] => )
 [2009-07-02 02:16 UTC] er88 (Sean Lavine)
Well, I was just playing around with this and the problem seems to be in LDAP2->performConnect(). The call to setLDAPVersion() (which will call RootDSE::fetch()) is first made before doing a bind, the problem seems to be that my server does not allow the DSE to be fetched anonymously and this would explain the LDAP_INSUFFICIENT_ACCESS error I am getting. Maybe checking to see if the server supports a version before setting it is overkill?
 [2009-07-02 08:10 UTC] beni (Benedikt Hallinger)
Well, the rootDSE is supposed to be fetched anonymously since it describes the servers features. You seem to have very strong permission restrictions. Please try the following: in LDAP2.php, switch the both blocks near line 440-463 (call to setLDAPVersion() and bind attempt) and see if it fixes your problem. In the meanwhile, i will check the RFCs if setLDAPVersion is supposed to be called right after connecting (i think, the bind may be affected by version changes so the bind must happen after setLDAPVersion(), at least i commented explicitely that the version needs to be set prior binding)
 [2009-07-02 08:29 UTC] beni (Benedikt Hallinger)
Did a quick check at the rfcs and indeed there has been a violation on RFCs in Net_LDAP2::connect(). The bind should be the first operation after connecting: rfc1777: 4.1. Bind Operation The function of the Bind Operation is to initiate a protocol session between a client and a server, and to allow the authentication of the client to the server. The Bind Operation must be the first operation request received by a server from a client in a protocol session. So please switch the code blocks as described below and tell me, if that helps!
 [2009-07-02 08:50 UTC] beni (Benedikt Hallinger)
(YOu can also use the CVS version, i fixed the issue accoring to the RFC)
 [2009-07-02 22:30 UTC] er88 (Sean Lavine)
Yes, when those code blocks are switched around so the bind occurs first it does work. Thanks Benedikt!
 [2009-07-03 07:10 UTC] beni (Benedikt Hallinger)
Cool, thanks for your confirmation! I will close the bug and release a new package.
 [2009-07-03 07:11 UTC] beni (Benedikt Hallinger)
-Status: Assigned +Status: Closed