ZF-11002: Omitted attributes get retrieved then forgotten


The {{Zend_Auth_Adapter_Ldap::getAccountObject()}} method accepts a list parameters to return and a list of parameters to omit.

When {{$returnAttribs}} is an empty array(), all attributes are fetched ({{Zend_Ldap::getEntry()}} behavior), and then attributes are filtered using {{$omitAttribs}}.

But when {{$returnAttribs}} and {{$omitAttribs}} are not empty, elements of {{$returnAttribs}} should be filtered using {{$omitAttribs}} before calling ({{Zend_Ldap::getEntry()}}.

+Reproduce code:+

$auth = Zend_Auth::getInstance();
$ldapOptions = array(...); // place valid LDAP configuration options here
$authAdapter = new Zend_Auth_Adapter_Ldap($ldapOptions, 'theUserName', 'theSecretPassword');
$result = $auth->authenticate($authAdapter);
$authedUser = $authAdaptater->getAccountObject(array('dn', 'sn', 'uid', 'lastname', 'phonenumber'), array('jpegphoto', 'phonenumber'));

{{$authedUser}} will contains the following attributes: dn, sn, uid and lastname but during the execution, phonenumber has been fetched from LDAP server (for nothing).

+Fix proposal:+

public function getAccountObject(array $returnAttribs = array(), array $omitAttribs = array())
    if (!$this->_authenticatedDn) {
        return false;
    $returnObject = new stdClass();
    $returnAttribs = array_map('strtolower', $returnAttribs ); //FIXED: desired attribute names are lowered too (for array_diff() to work)
    $omitAttribs = array_map('strtolower', $omitAttribs);
    $returnAttribs = array_diff($returnAttribs, $omitAttribs); //FIXED: $returnAttribs is filtered before LDAP fetching
    $entry = $this->getLdap()->getEntry($this->_authenticatedDn, $returnAttribs, true);
    foreach ($entry as $attr => $value) {
        if (in_array($attr, $omitAttribs)) {
            // skip attributes marked to be omitted
        if (is_array($value)) {
            $returnObject->$attr = (count($value) > 1) ? $value : $value[0];
        } else {
            $returnObject->$attr = $value;
    return $returnObject;


Will be fixed on short-notice... Thanks for the issue report.

Fixed in trunk (r23693) and in 1.11-release branch (r23694)