ID: 14693
Updated by: venaas
Reported By: [EMAIL PROTECTED]
Old Status: Open
Status: Closed
Bug Type: LDAP related
Operating System: Sun Solaris 2.7 (32 bit)
PHP Version: 4.1.0
New Comment:
You are right, there is one problem with PHP's ldap_search(). This is a bit hard to
explain, but when you search at dc=hr, there are both entries returned, and referrals
(continuation references).
If you're using LDAPv2 (which is default with OpenLDAP API), the result of the search
won't be LDAP_SUCCESS, and PHP's ldap_search() won't return any results (even though
some entries were found).
I wanted to fix this a while ago, and at the same time be backwards compatible. I also
wanted to have a way of doing parallel searches. ldap_search() will do a parallel
search if the first argument is an array of link identifiers. It will then return an
array of results instead of a single result. You can also use arrays for bases and
filters if you don't want the same base and filter for all. I also made ldap_search()
return results even if not LDAP_SUCCESS.
Here is an example on how this can be used to get both entries and referrals with
LDAPv2:
$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(ou=*)";
$srs=ldap_search(array($ds), $dn, $filter);
$sr=$srs[0];
$info = ldap_get_entries($ds, $sr);
ldap_parse_result($ds, $sr, $errcode, $matcheddn, $errmsg, $referrals);
var_dump($info, $errcode, $matcheddn, $errmsg, $referrals);
Here I use parallel search, even though I only have one server, just to get hold of
the results. ldap_parse_result() is used to get the referrals and possibly other info
in the result message. It could be possible to search all the referrals (even in
parallel) to get more data, but when using LDAPv2 you don't get the bases, so that is
problematic. Compare output of
ldapsearch -h"ds.carnet.hr" -b"dc=hr"
with
ldapsearch -x -P2 -h"ds.carnet.hr" -b"dc=hr"
Using LDAPv3 for the initial search you would get the bases also. You can tell
OpenLDAP to chase the referrals (if v3) or give them back to you. It can't chase them
with v2, it would then try with wrong base and get "no such object". Because of this
mess, I've only added referrals for v3 servers at ldap://ldap.uninett.no/dc=no
There is one problem with PHP and parallel searches though. It was added in 4.0.5, and
works in 4.0.6, but is broken in 4.1.0. I noticed this thanks to you, and I've nox
fixed it so that hopefully it will work again in 4.1.1. You can make it work in 4.1.0
by changing ldap.c as shown at
http://cvs.php.net/diff.php/php4/ext/ldap/ldap.c?r1=1.112&r2=1.113&ty=u
Everything I said about ldap_search() also hold for ldap_list() and ldap_read().
Previous Comments:
------------------------------------------------------------------------
[2001-12-25 18:27:32] [EMAIL PROTECTED]
Thanks for fast answer, right now it works.
Why I think it is bug, simply I write code you saw in bug report, but I also test with
dc=srce,dc=hr (few more) and it worked fine, I only got warnings when I put dc=hr .
I use OpenLdap 2.0.19, and v2 and v3 protocol, with referrals, ds.carnet.hr is
national LDAP server with base DN dc=hr.
So in one moment LDAP function use v3 and on onther v2 protocol, that is very
confused.
Right away I check my configuration, and I think maybe is misfunctionality (bug) :)
... whay I think so
1. My server a able to answer on v2 and v3 standard, in that case at least I will
expect to got 0 for answer
2. Ldap Browser 2.8.2 by Jarek Gawor (jar) return "No entries mached" for same search
using v2 protocol.
My I sugest to implement that feature in some of next realeas of LDAP functions for
PHP.
------------------------------------------------------------------------
[2001-12-25 17:35:36] [EMAIL PROTECTED]
The problem has to do with continuation reference and which
LDAP version you use. Most LDAP libs default to v2. Please
try the following script (worked for me):
$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 1);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(o=*)";
$justthese = array( "dc");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
ldap_close($ds);
var_dump($info);
I've told it to use v3, and also to follow referrals. You
can probably omit the referrals setting, I think that's
the default, but depends on library.
I also suggest you try:
$ds=ldap_connect("ds.carnet.hr");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(objectclass=*)";
$justthese = array( "dc");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
ldap_close($ds);
var_dump($info);
I'm closing this since I don't think there's a problem.
Reopen if you disagree.
------------------------------------------------------------------------
[2001-12-25 17:08:01] [EMAIL PROTECTED]
<script LANGUAGE="PHP">
$ds=ldap_connect("ds.carnet.hr");
$r=ldap_bind($ds);
$dn = 'dc=hr';
$filter="(o=*)";
$justthese = array( "dc");
$sr=ldap_search($ds, $dn, $filter, $justthese);
$info = ldap_get_entries($ds, $sr);
print $info["count"]." entries returned<p>";
ldap_close($ds);
</script>
Warning: LDAP: Unable to perform the search: No such object in
/web/www/htdocs/ltest/bug.php on line 11
Warning: Supplied argument is not a valid ldap result resource in
/web/www/htdocs/ltest/bug.php on line 13
entries returned
- When puting $dn equal anything else then single signed base name (dc=<something>),
script work without warning.
./configure --with-mysql --with-gd --with-ldap=/home/ldap/ldap
--with-config-file-path=/usr/local/apache --prefix=/usr/local/apache --enable-ftp
--with-ftp --enable-track-vars --with-apache=/opt/apache_1.3.22 --with-curl=/usr/local
------------------------------------------------------------------------
Edit this bug report at http://bugs.php.net/?id=14693&edit=1
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
