From: webe4703 at uni-trier dot de
Operating system: Linux (Ubuntu)
PHP version: 5.2.8
PHP Bug Type: LDAP related
Bug description: Ldap error messages are very unprecise
Description:
------------
Hi,
Let's assume, that we are connecting to an MS AD Server.
And the user has set the flag, that he must reset his password.
( Therefore the user isn't permitted to login until he has reset his
password. )
What kind of message do we when the Bind command fails?
Code:
$ds=ldap_connect($host);
if (!ldap_bind($ds, $username, $password)) {
printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
}
The output is the following:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials
Ok, php told us, that the bind failed.
But let's switch to the console, and take a look at the output, that
ldap-search will give us:
Command:
ldapsearch -x -H ldap://der-ad-server.de:389 -D
accountn...@der-ad-server.de -W
Output:
ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903AA, comment:
AcceptSecurityContext error, data 773, v1771
The first line is the same, but ldapsearch shows another line. This line
is very useful, because we can now read out the error code the AD told us.
(773)
An the active directory has several interesting codes:
525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
531 - not permitted to logon from this computer
532 - password expired
533 - account disabled
701 - account expired
773 - user must reset password
775 - account locked
As you see a more precise error message (similar to ldapsearch), would
give a php developer much more information on what went wrong and not just
a failed message...
Reproduce code:
---------------
$ds=ldap_connect($host);
if (!ldap_bind($ds, $username, $password)) {
printf("LDAP-Fehlernummer: %s<br>\n", ldap_errno($ds));
printf("LDAP-Fehler: %s<br>\n", ldap_error($ds));
}
VERSUS
ldapsearch -x -H ldap://der-ad-server.de:389 -D
Expected result:
----------------
A more precise error message.
Perhaps something like:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials, additional info: 80090308: LdapErr:
DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771
Actual result:
--------------
A very unprecise error message:
LDAP-Fehlernummer: 49
LDAP-Fehler: Invalid credentials
--
Edit bug report at http://bugs.php.net/?id=47222&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=47222&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=47222&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=47222&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=47222&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=47222&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=47222&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=47222&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=47222&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=47222&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=47222&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=47222&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=47222&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=47222&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=47222&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=47222&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=47222&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=47222&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=47222&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=47222&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=47222&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=47222&r=mysqlcfg
