I recently wrote the ldap authentication class (working with Active Directory) and recently created a new web application for another department that uses this authentication class.
Basically the user enters their credentials, my script contacts AD and checks if the user is a member of a specific group. Password authentication works every time, but group membership verification works only if the user is not inside or below the unit with an ampersand in it.
It seems that the problem is that the name of the department contains an ampersand, and therefore the organizational unit also does this. Despite the fact that I have permissions in AD for changing the name, it is most likely that other applications access this OU by name, so I can’t change it (also I don’t know if there are other OUs with ampersands in their names , the same problem may occur later).
The funny thing is: if I use ldp.exe under the windows, I can use the same search filter without any problems, so I think that this is a problem with the correct transmission of the character itself (my application uses UTF-8 and the ampersand character displays correctly when it is pulled from AD and printed, so I don’t think this is an encoding problem)
I use to create a filter:
$filter = "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=".$userdn."))";
where userdn comes from another ldap_search, where I successfully verified the user password.
I really stumbled because I actually use a DN, which I use for a group request from the active directory (and it seems to be properly escaped), but cannot use it in another ldap_search.
I have already tried to slip / replace the & -Symbol symbol with several alternatives:
\&
&
%26
and many options, but they all repeat the same "bad filter" error.
(PHP version 5.3.2-1ubuntu4.17)
Can someone tell me what I'm doing wrong here?