Why does the ldap_search() works on php 8.1 but not in php 8.3.12 (LDAP_OPT_REFERRALS issue)?

[Marxello669]

Description

I wanted to ask why does following function "ldap_search()" works on the php version 8.1, when the "ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 1);", but when the same property on php 8.3, it does not work.

We had to make a bypass in the a newer version bellow (php 8.3) and we were trying to find why it works on the older and not on the newer one.

The objective of this function is to get the required info from our AD (Active Directory).

// Old version works in php 8.1
private function fetchUserFromLDAP(string $identifier)
    {
        $ldapServer = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SERVER'])->getValue();
        $ldapUsername = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_BIND_USER_DN'])->getValue();
        $ldapPassword = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_BIND_USER_PASSWORD'])->getValue();
        $ldapConnection = ldap_connect($ldapServer) or die("Could not connect to LDAP server.");
        ldap_set_option($ldapConnection, LDAP_OPT_DEREF, LDAP_DEREF_ALWAYS);
        ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 1);
        ldap_bind($ldapConnection, $ldapUsername, $ldapPassword) or die("Could not bind to LDAP server.");
        $searchFilter = str_replace(
            "@ID",
            $identifier,
            $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SEARCH_FILTER'])->getValue()
        );
        $searchBaseDN = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SEARCH_BASE_DN'])->getValue();
        $searchResult = ldap_search($ldapConnection, $searchBaseDN, $searchFilter);

        ldap_get_option($ldapConnection, LDAP_OPT_REFERRALS, $referrals);
        ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, $referrals);

        $searchEntries = ldap_get_entries($ldapConnection, $searchResult);
        ldap_unbind($ldapConnection);

        if ($searchEntries['count'] === 1) {
            return $searchEntries[0];
        }

        return null;
    }

// Newer version works in php 8.3
private function fetchUserFromLDAP(string $identifier)
    {
        $ldapServer = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SERVER'])->getValue();
        $ldapUsername = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_BIND_USER_DN'])->getValue();
        $ldapPassword = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_BIND_USER_PASSWORD'])->getValue();
        $ldapConnection = ldap_connect($ldapServer) or die("Could not connect to LDAP server.");
        ldap_set_option($ldapConnection, LDAP_OPT_DEREF, LDAP_DEREF_ALWAYS);
        ldap_set_option($ldapConnection, LDAP_OPT_PROTOCOL_VERSION, 3);
        ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 0); // When this is set to "0" the ldap_search() works as expected
        ldap_bind($ldapConnection, $ldapUsername, $ldapPassword) or die("Could not bind to LDAP server.");
        $searchFilter = str_replace(
            "@ID",
            $identifier,
            $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SEARCH_FILTER'])->getValue()
        );
        $searchBaseDN = $this->settingRepository->findOneBy(['name' => 'SYNC_LDAP_SEARCH_BASE_DN'])->getValue();
        $searchResult = ldap_search(
            $ldapConnection,
            $searchBaseDN,
            $searchFilter,
        );

        $entry = ldap_first_entry($ldapConnection, $searchResult);
        if (!$entry) {
            ldap_unbind($ldapConnection);
            return null;
        }
        $attrs = ldap_get_attributes($ldapConnection, $entry);
        ldap_unbind($ldapConnection);
        return $attrs;
    }

PHP Version

PHP 8.3.12

Operating System

Ubuntu 24.04.1 LTS

[cmb69]

It doesn't look like anything related to LDAP_OPT_REFERRALS has changed in PHP, but I wonder what "it works"/"it doesn't work" means in this case. Does the search fail (without any notice/warning)? What happens if you use the PHP 8.3 script with PHP 8.1?

[Marxello669]

Prior to the solution that I have at the moment I was having this issue - Warning: ldap_search(): Search: Operations error. I am trying to understand if it was a something I had done or another issue that I had no control about it.

This fetch was intended to return attributes related to a user of our AD.

[nielsdos]

Did the openldap version used change when upgrading the system?

[Marxello669]

Yes, I did upgrade my ldap package on my dockerfile. I'm using php8.3-ldap currently and previously php8.1-ldap.

root@85dd8db464ae:/var/www/openroaming# apt list --installed | grep ldap 

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libldap-2.5-0/jammy-updates,now 2.5.18+dfsg-0ubuntu0.22.04.2 amd64 [installed,automatic]
libldap-common/jammy-updates,now 2.5.18+dfsg-0ubuntu0.22.04.2 all [installed,automatic]
php8.3-ldap/jammy,now 8.3.12-1+ubuntu22.04.1+deb.sury.org+1 amd64 [installed]
root@85dd8db464ae:/var/www/openroaming# 

[nielsdos]

Often the underlying issue when nothing changed in PHP is actually a change in the library. Would it be possible to try with the older libldap version?

[Marxello669]

I was doing some tests with that package version (php8.1-ldap) with the "8.1" version of php, and it was working properly, but when I return to the 8.3 version of the php and the ldap I got the same problem. I can't pinpoint what the problem is but as you said the problem must be with the changes in the library.

This is the error that I keep having with the newer version and this does not happen with the prior one.
Warning: ldap_search(): Search: Operations error

This only happens when I have the following property like this:
ldap_set_option($ldapConnection, LDAP_OPT_REFERRALS, 1);