I have written a ldap-authentication-class (working with Active Directory) a while ago and recently created a new Web-Application for another department, which uses this authentication class.
Basically the user enters their credentials, my script binds with AD and checks if the user is member of a certain group. The password authentication works every time, but checking the group memberships does only work, if the user is not in or below the OU with an ampersand in it's name.
The problem seems to be, that the department name contains an Ampersand and therefore the Organizational Unit does too. Allthough I have permissions in AD to change the name, it is most likely that other applications access that OU by name, therefore I can not change it (also I don't know if there are other OUs with ampersands in their names, where the same problem might occur later).
Funny thing: If I use ldp.exe under windows I can use the exact same search filter without any problems, so I guess it is a problem with the correct transmission of the symbol itself (my app uses UTF-8 and the ampersand-character is displayed correctly when pulled from AD and printed, so I don't think it's an encoding problem)
The line I use to create the filter is:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=".$userdn."))";
where userdn comes from another ldap_search to, where I successfully verified the user password.
I am really stumbled, because I actually pull the DN that I use for the group query from active directory (and it seems correctly escaped), but cannot use it in another ldap_search.
I already tried escaping/replacing the &-Symbol with some alternatives:
\&
&
%26
and lots of variants of those, but they all eturn the same "bad filter" error.
(PHP Version 5.3.2-1ubuntu4.17)
Can anybody tell me what I am doing wrong here?
I finally figured it out (after several additional hours) - the problem was not the ampersand after all, but it was an escaping issue - the DN of my user also contained a comma, which was already escaped (so I didn't really think about it).
Actually I had to convert the escaping-symbol () to chr(0x5c). This article ( krivokuca.net/2012/08/… ) had the solution.
Funny thing: I already had an escaping function, which converted "\" to "\5c", but that one did not help with this particular issue.
Thank you for the effort to help me :)