ldap_bind fails to bind when the password contains special characters

[Phatkone]

Description

Any ldap password that contains special characters such as "!", "_" or "&" fails to bind where stripping those characters from the password works.

Tested on PHP7.4 and PHP8.0

PHP Version

8.0.1

Operating System

Raspbian 11

[heiglandreas]

Did you use ldap_escape on the password?

[Phatkone]

Did you use ldap_escape on the password?

Tried that too, still doesn't work.
tried html_entity_decode and url_decode too.

[tibetoine]

Is there any update ?

[tibetoine]

Ok i found a solution :
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
LDAPv3 supports UTF-8 by default, which it expects requests and responses to be in by default.

[heiglandreas]

AH! OK. Makes sense!

We should probably set that as default if it wasn't set...

[tibetoine]

That would probably be a good idea.
At least add the information to the known issues OR troubleshooting section.
Afterwards, it's not certain that all legacy LDAP systems are compatible with protocol v3 (maybe this needs to be checked to ensure backward compatibility?)

[KiralyCraft]

EDIT: I was dumb, I wasn't escaping the & and I was sending the data via POST x-www-form-urlencoded, so my & was interpreted as a separator of fields and omitted from the value of the data itself. Oopsie. Good job PHP :)

Unfortunately for me it doesn't work. I have it like this:

$ldaprdn = $usernameDomain . "\\" . $usernameUID;

$ldapConnection = ldap_connect($ldapServer);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
$bind = @ldap_bind($ldapConnection, $ldaprdn, html_entity_decode($password));
if ($bind)
{
//All good!
}
else
{
//Fail
}

I'm running PHP 8.2.3 on Arch Linux and the LDAP server is a Windows Server 2022 instance. I'm yet to test with other implementations to see whether this issue is specific to PHP.

My password is simply testing123& and it fails with the & in there, but works fine otherwise.

[tibetoine]

Unfortunately for me it doesn't work. I have it like this:

$ldaprdn = $usernameDomain . "\\" . $usernameUID;

$ldapConnection = ldap_connect($ldapServer);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
$bind = @ldap_bind($ldapConnection, $ldaprdn, html_entity_decode($password));
if ($bind)
{
//All good!
}
else
{
//Fail
}

I'm running PHP 8.2.3 on Arch Linux and the LDAP server is a Windows Server 2022 instance. I'm yet to test with other implementations to see whether this issue is specific to PHP.

My password is simply testing123& and it fails with the & in there, but works fine otherwise.

Did you try this : #11407 (comment) ?

[Phatkone]

Unfortunately for me it doesn't work. I have it like this:

$ldaprdn = $usernameDomain . "\\" . $usernameUID;

$ldapConnection = ldap_connect($ldapServer);
ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0);
$bind = @ldap_bind($ldapConnection, $ldaprdn, html_entity_decode($password));
if ($bind)
{
//All good!
}
else
{
//Fail
}

I'm running PHP 8.2.3 on Arch Linux and the LDAP server is a Windows Server 2022 instance. I'm yet to test with other implementations to see whether this issue is specific to PHP.
My password is simply testing123& and it fails with the & in there, but works fine otherwise.

Did you try this : #11407 (comment) ?

its literally line 4 on the config excerpt.

[tibetoine]

What ... This lines just appeared. Idk what just happened