6

In a php page I'm working on, an LDAP connection is established from which a list of cn entries are pulled and put into a dropdown. The selection from the dropdown is sent via form submission to another php scrips which checks the selected cn against the LDAP to grab more associated information.

For most names this is no problem; however, a cn was recently added that includes parentheses enclosing a nickname, and when that name is selected it causes the ldap_search() method to return false. Below is the code, where $employeename is the sanitized employee name.

...

$dn = "cn=users,dc=our-domain,dc=com";
$filter = "(cn=".$employeename.")";

$attrs = array("cn", "mail");
$rslt = ldap_search($ldapsvr, $dn, $filter, $attrs);

$entries = ldap_get_entries($ldapsvr, $rslt);

...

The $filter string ends up as 

(cn=First (FN) Last)

where First is the first name, Last is the last name, and FN is the included nickname. I have tried escaping the parentheses as \28 and \29 (as provided here, where it also says matched parentheses do not need to be escaped), but it did not help. Names that work include letters, spaced, and periods (for middle initials).

(cn=First \28FN\29 Last)

EDIT: ldap_search is returning false, not dying. One of the lines I included while investigating would fail and die if $rslt was false and not an array.

EDIT: I escaped the inner parentheses only,. as the outer never gave any trouble

PeaBucket
  • 142
  • 1
  • 1
  • 9
  • What kind of error occurs without adding the escaped characters? – quickshiftin Jul 20 '12 at 15:27
  • With unescaped characters, ldap_search() returns false. I think confused myself while writing the question; while testing, print_r($rslt) would cause the script to die when the search returned false. I'll fix the the question. Sorry about that – PeaBucket Jul 20 '12 at 15:32
  • Have you tried tailing the LDAP server log to see what it says about the query coming across from PHP? – quickshiftin Jul 20 '12 at 15:38
  • Do you set your ldap options for `PROTOCOL_VERSION` 3? – Mike Mackintosh Jul 20 '12 at 15:38
  • @sixeightzero the script currently does not set any options; I'll trysetting the protocol to three (using the first example here http://php.net/manual/en/function.ldap-set-option.php) – PeaBucket Jul 20 '12 at 15:49
  • @quickshiftin I don't think I have access to it, but if the problem persists I'll try to get someone to look for me. – PeaBucket Jul 20 '12 at 15:55

2 Answers2

5

Try to add an operand as a sort of order-of-operations. I had a similar issue on the title field until I did similar to the following.

$filter = "(&(cn=$employeename))";

On some systems, you need to escape () with a \.

$filter = "(&(cn=James \(Jim\) Doe))";

Hang tight, working on a escape function.

Mike Mackintosh
  • 13,917
  • 6
  • 60
  • 87
  • I swapped in the filter you provided, but the ldap_search() call is still returning false (I corrected the error result in the question). Would the php version make a difference as far as the functionality of the method? – PeaBucket Jul 20 '12 at 15:41
  • What version are you using? This worked on 5.3.8 and 5.4.4. I also declared `LDAP_OPT_PROTOCOL_VERSION` to 3 – Mike Mackintosh Jul 20 '12 at 15:43
  • Setting the protocol version to 3 didn't affect the search return. As far as php version, we seem to be using 5.3.3 – PeaBucket Jul 20 '12 at 15:53
  • I think I've tried escaping them like that, but I'll try it again on Monday. – PeaBucket Jul 21 '12 at 19:44
  • Ok let me know. This worked for me when i tried it yestsrday. – Mike Mackintosh Jul 21 '12 at 21:11
0

Parentheses must be escaped in search filter assertion values. See also: rfc4515 (section 4).

Community
  • 1
  • 1
Terry Gardner
  • 10,957
  • 2
  • 28
  • 38
  • I've already tried replacing the inner open and close parentheses with \28 and \29, respectively. I'll update the question to reflect that I only replaced the inner ones; should I try replacing both sets? – PeaBucket Jul 21 '12 at 19:46
  • No only the inner ones if you do. Outter ones need to be standard as they are part of the meta of the query – Mike Mackintosh Jul 21 '12 at 21:10
  • Yes, that's why I wrote "assertion values". – Terry Gardner Jul 22 '12 at 01:21