Reputation: 3445
Is PHP ldap_escape compatible with Microsoft Active Directory?
Here
you can see how AD requires to escape individual components of a distinguished name (a backslash in front of the character to be escaped).
The ldap_escape function, however, adopts a different escaping technique (I think according to RFC4514) so for example:
Sales\Engineering would be:
Sales\\Engineering according to 1
and:
Sales\5cEngineering if you use ldap_escape
I know that \5c is just the \xx hex sequence for \, but can this create problems?
I am having troubles using ldap_bind with domain\user DNs in Active Directory that's why I am wondering if there are compatibility issues.
Thanks
Upvotes: 0
Views: 409
Answers (1)
Reputation: 40988
domain\user DNs in Active Directory
I think this may be a misunderstanding. The DOMAIN\username format is not a distinguished name. Even if you did use a proper DN there, the $dn parameter of ldap_bind does not require any escaping.
The Microsoft documentation refers to different scenarios where you may need to escape characters. The first section refers to escaping characters in a component of a distinguished name. A distinguished name would look something like this:
CN=SomeUser,OU=Users,DC=example,DC=com
A character might need escaping in a distinguished name if the name of the object (the CN portion) uses a character that is a special character in the DN format, like ,, =, \, etc. Which could look something like this:
CN=Luci\, Gabriel,OU=Users,DC=example,DC=com
But in those cases, the escaping is already done for you. The \, is part of the actual DN of the object. So you'll never find a need to escape a DN of an existing object.
The only time you would need to escape characters that would be part of a DN is if you're creating a new object and need to prepare a string to be the name of the new object. However, ldap_escape doesn't escape like this, even when using LDAP_ESCAPE_DN. This seems to come down to RFC2253, which gives two options for escaping characters:
If a character to be escaped is one of the list shown above, then it is prefixed by a backslash ('' ASCII 92).
Otherwise the character to be escaped is replaced by a backslash and two hex digits, which form a single byte in the code of the character.
Active Directory seems to prefer the first, whereas ldap_escape with LDAP_ESCAPE_DN uses the second method. It might actually work with AD, but I haven't tested it.
The Microsoft documentation also describes escaping values for use in an LDAP filter, which is done differently. This seems to be the only use case for ldap_escape. Characters that are allowed elsewhere (like in a DN) have special meaning in an LDAP query, like (, ), \, etc.
$escapedValue = ldap_escape("Luci, Gabriel (Company)", null, LDAP_ESCAPE_FILTER);
// resulting value will be "Luci, Gabriel \28Company\29"
$query = "(&objectClass=user)(objectCategory=person)(cn={$escapedValue}))";
That's where the \5c that you're seeing is coming from. That's only needed for LDAP filters, which isn't what you need there.
You don't need to escape anything when providing a user account as credentials.
Upvotes: 1
Related Questions
- Authenticating in PHP using LDAP through Active Directory
- LDAP Authentication php doesn't work with certain characters
- Connect an active directory or LDAP with PHP
- Do I need ldap.conf when I connect to Active Directory using PHP?
- Foreign characters and LDAP. What encoding/charset does LDAP expect?
- php bind ldap to active directory
- PHP-LDAP & Windows Authentication
- Is Active Directory Really LDAP-Compliant?
- LDAP Authenticating user in PHP
- PHP LDAP Connection