ldaptools-bundle icon indicating copy to clipboard operation
ldaptools-bundle copied to clipboard
verified publisher icon ldaptools

Access to LDAP error codes in exceptions

Open althaus opened this issue 7 years ago • 3 comments

Hi,

I'm currently working on an LDAP authentication against a damn huge (200k+ accounts) AD and have some issues with several queries. One thing is a user search which throws the LdapConnectionException in the QueryOperationHandler. Sadly it doesn't contain any helpful message:

'LDAP search failed. Diagnostic message: ""'

It'd be great if the exception could expose the error code or do I miss something?

Cheers Matthias

althaus avatar Mar 22 '18 13:03 althaus

Yes, that seems like a good idea. Not sure why I didn't add that initially. The spot that it needs to be added is here:

https://github.com/ldaptools/ldaptools/blob/18ec773284cdbf5f22cadeb1d85bcaf46c05df39/src/LdapTools/Operation/Handler/OperationHandler.php#L41-L44

Now that I look, there doesn't seem like a good way to get the normal LDAP error code in LdapTools. I can try to add something soon. As a workaround you could do:

ldap_errorno($ldap->getConnection()->getResource());

Sorry about that :-/

ChadSikorra avatar Mar 24 '18 00:03 ChadSikorra

I'm now exposing the last error code in the LdapConnectionException when possible: https://github.com/ldaptools/ldaptools/commit/1943348159ceed68cce84751faf2b4c533aad9ad. However, since I had to change the interface I can't really tag a minor version. If I don't make any other changes soon I'll just tag another release.

However, what operation is triggering your exception? It seems odd that there is no diagnostic message.

ChadSikorra avatar Mar 24 '18 15:03 ChadSikorra

I've already worked around it by fetching the error codes from the LdapConnection. :)

The issue is all from the same query: A simple loadUserByUsername() on the first login of a new user. The query then died after 120s without details on looking up the user groups. Setting the recursive flag in the config brought the query down to 1s and succeeding.

I'm totally new to LDAP/AD. It's an enterprise scale world wide AD server net with 5 base DNs and 4 levels of OUs each to get down to the users:

OU=USERS,OU="CITY",OU="COUNTRY",OU="FOO",DC=SUB,DC=EXAMPLEWAN,DC=COM

No clue if this is bad by design. It was just a little suprise for me as the contract only told about AD connection for a single location. ;-)

btw: Many thanks for your quick support! 🍻

althaus avatar Mar 26 '18 14:03 althaus