Issues

ZF-8260: Interplay between Zend_Ldap and Zend_Auth_Adapter_Ldap causes issues with anonymous bind (or unbound) ldap connections.

Issue Type: Bug Created: 2009-11-09T12:29:01.000+0000 Last Updated: 2009-11-10T08:22:06.000+0000 Status: Resolved Fix version(s): - 1.10.0 (27/Jan/10)

Reporter: Michael Croes (mycroes) Assignee: Stefan Gehrig (sgehrig) Tags: - Zend_Ldap

Related issues: Attachments:

Description

When using Zend_Auth_Adapter_Ldap->setLdap() the adapter automatically loads the options as set for the given Zend_Ldap argument. However, this also returns username which may not have been explicitly set (and has thus defaulted to NULL), which then gets converted to the empty string ''. When the adapter then tries to authenticate, it passes a new options object with an empty string username, which Zend_Ldap interprets as a real username.

There are a few problems here: - Zend_Ldap->bind() checks whether $username === null, to my knowledge it would be more sane to replace this with empty($username), because an empty username (in whatever way specified) will always result in errors somewhere down the road, - Zend_Auth_Adapter_Ldap converts options to string (IIRC because it does trim() on them) even when not applicable, - Zend_Ldap->getOptions() returns all implicit options too.

Comments

Posted by Stefan Gehrig (sgehrig) on 2009-11-10T05:04:57.000+0000

Can you please provide some sample use-case for what you want to do?

I currently cannot understand which options you would want the auth-adapter to retain when setting an explicit LDAP adapter if there are conflicting options in the auth-adapter and in the LDAP adapter respectively.

Posted by Michael Croes (mycroes) on 2009-11-10T05:44:52.000+0000

Here's some code to illustrate the issue:

$opts = Zend_Registry::get('config')->ldap; $ldap = new Zend_Ldap($opts); $adapter = new Zend_Auth_Adapter_Ldap(); $adapter->setLdap($ldap) ->setIdentity($user) ->setCredential($password);

This sets up Zend_Ldap (without username / password) and sets up an auth adapter. The auth adapter meanwhile (in setLdap()) has asked options from Zend_Ldap, and stored them internally. As soon as _prepareOptions() is being called in the auth adapter, it will call setOptions on Zend_Ldap with the just requested options.

This results in the following: - Zend_Ldap is created, no username or password is specified (both are NULL internally) - Zend_Auth_Adapter_Ldap queries for the options on setLdap(), this now contains an array with NULL for both username and password. - Zend_Auth_Adapter_Ldap calls Zend_Ldap->setOptions() with NULL for username and password, and Zend_Ldap calls trim() on them, causing them to be converted to string values '' (happens in Zend_Ldap->setOptions(), not in the auth adapter as I said in the report). Zend_Ldap tries to bind, sees username !== null, tries to figure out what to make from it, will result in an error because it can't figure out what to make from the empty string.

So point 2 of the issue is invalid, but can be replaced by the fact that Zend_Ldap->setOptions() calls trim on values that might not be strings.

I hope this is clear enough, else I can provide more information if needed.

Posted by Stefan Gehrig (sgehrig) on 2009-11-10T05:52:56.000+0000

Do you have the possibility to check out the most recent version from the SVN trunk? I just changed the detection of anonymous binds in Zend_Ldap - that might solve your problem already. If not please leave a short notice here and I'll have a look into this once more.

Posted by Michael Croes (mycroes) on 2009-11-10T08:05:41.000+0000

Seems to work in trunk indeed, thanks for fixing.

Posted by Stefan Gehrig (sgehrig) on 2009-11-10T08:22:06.000+0000

Fixed in trunk (r18923)

Have you found an issue?

See the Overview section for more details.

Copyright

© 2006-2016 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.

Contacts