Edit report at https://bugs.php.net/bug.php?id=54104&edit=1
ID: 54104 Comment by: bmearns at ieee dot org Reported by: mmx at riz dot pl Summary: ldap_sasl_bind fails but not the first time Status: Open Type: Bug Package: LDAP related Operating System: linux PHP Version: 5.2.17 Block user comment: N Private report: N New Comment: I'm having the same problem on Windows using PHP 5.3.6, except I haven't noticed that it ever remedies itself after a particular timeout. Instead I have to restart my web server (Apache) to be able to bind again. I captured the traffic with wire shark, both for a successful bind and an unsuccessful bind. I'm only slightly familiar with LDAP and SASL, but as far as I can tell both bind requests are valid. The only thing I noticed is that after a server restart, PHP always does an "initial authentication" and it's always successful, whereas subsequent attempts to run the script without a restart attempts a "subsequent authentication" which always fails (quoted terms as defined in RFC2831, sections 2.1 and 2.2, respectively). I wonder if the problem is simply that the LDAP server is not accepting subsequent authentication, and wants PHP to do a full-fledged initial authentication procedure every time. If this is a possibility, it seems like the implementation in PHP could try subsequent auth, and then fall back on "initial auth" if that fails. Or, at the very least, there should be a function or an optional function argument for ldap_sasl_bind to force it to use the "initial auth" procedure. Previous Comments: ------------------------------------------------------------------------ [2011-03-02 21:18:56] thihfernandes at gmail dot com With me it's happening the same thing! My PHP version is 5.3.3-7. ------------------------------------------------------------------------ [2011-02-26 13:20:05] mmx at riz dot pl Description: ------------ When using ldap_sasl_bind to bind to active directory the connection is successful only the first time. When executing the script a second time shortly after the first execution the bind fails. After around 2 minutes the bind is again possible. I suspect that it ma be related to digest md5 fast reauth. The sample code when executed via web server http://my_apache_server/ldap.php it binds succesfully the first time. hitting F5 in the browser: Warning: ldap_sasl_bind() [function.ldap-sasl-bind]: Unable to bind to server: Invalid credentials After 2 minutes it works again for the first time. This problem never happens when I execude the script via command line: php -q ./ldap.php any number of times in a row. on tcpdump I see that the nonce-count is inceasing. the first failure has nc=00000002. after waiting 2 minutes I see that nc starts back from 1. when starting php -q ./ldap.php the nc has always the nc=00000001. My conclusion is that there is some kind of cache/fast reauth/session when php generates the error when working as a part of httpd. After ivestigating netstat I noticed that the second bind fails until I see on netstat the connection in the TIME_WAIR state: netstat -anpe|grep 389 tcp 0 0 client:42457 ad_server:389 TIME_WAIT 0 0 - when the connection finally dissapears the first sasl bind is successful. Of course when I hit F5 many time I have many connections with TIME_WAIT state. After all of them dissapear the bind is successfull only for the first time. Test script: --------------- $conn = @ldap_connect( "ad_server" )); ldap_set_option ( $conn, LDAP_OPT_PROTOCOL_VERSION, 3)); ldap_sasl_bind ( $conn, NULL, "password",'DIGEST-MD5','my_realm','ldap_username',NULL); Expected result: ---------------- successful sasl bind without the need to wait 2 minutes. Actual result: -------------- when the code is executed the second time Warning: ldap_sasl_bind() [function.ldap-sasl-bind]: Unable to bind to server: Invalid credentials ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=54104&edit=1
