PHP :: Bug #13278 :: enhancement for ldap_start

Bug #13278	enhancement for ldap_start_tls function
Submitted:	2001-09-12 22:00 UTC	Modified:	2001-10-09 17:24 UTC
From:	kuenne at rentec dot com	Assigned:	venaas (profile)
Status:	Closed	Package:	LDAP related
PHP Version:	4.0.6	OS:	Solaris 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	kuenne at rentec dot com
New email:
PHP Version:		OS:

New Comment:

[2001-09-12 22:00 UTC] kuenne at rentec dot com

I would like to have my ldap connections encrypted so I added the function ldap_start_tls to the ldap module. Following is the diff:

--- ./ext/ldap/ldap.c.orig      Wed Sep 12 15:53:24 2001
+++ ./ext/ldap/ldap.c   Wed Sep 12 16:03:00 2001
@@ -69,6 +69,9 @@
        PHP_FE(ldap_connect,
NULL)
        PHP_FALIAS(ldap_close,          ldap_unbind,            NULL)
        PHP_FE(ldap_bind,
        NULL)
+#if LDAP_API_VERSION > 2000
+       PHP_FE(ldap_start_tls,
        NULL)
+#endif
        PHP_FE(ldap_unbind,
        NULL)
        PHP_FE(ldap_read,
        NULL)
        PHP_FE(ldap_list,
        NULL)
@@ -385,12 +388,22 @@
        } else
 #endif
        {
-               ldap = ldap_open(host,port);
+               ldap = ldap_init(host,port);
        }

        if ( ldap == NULL ) {
                RETURN_FALSE;
        } else {
+#if LDAP_API_VERSION > 2000
+               int version = LDAP_VERSION3;
+               int rc;
+
+               rc = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+               if (rc != LDAP_OPT_SUCCESS) {
+                       php_error(E_WARNING, "Could not set protocol version 3 (%d): %s\n", rc, ldap_err2string(rc));
+                       RETURN_FALSE;
+               }
+#endif
 #ifdef HAVE_ORALDAP
                if (ssl) {
                        if (ldap_init_SSL(&ldap->ld_sb, wallet, walletpasswd,
@@ -510,6 +523,31 @@
 }
 #endif

+
+#if LDAP_API_VERSION > 2000
+/* {{{ proto int ldap_start_tls(int link)
+   Start TLS */
+PHP_FUNCTION(ldap_start_tls)
+{
+       pval **link;
+       LDAP *ldap;
+
+       if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) == FAILURE) {
+               WRONG_PARAM_COUNT;
+       }
+
+       ldap = _get_ldap_link(link);
+       if (ldap == NULL) RETURN_FALSE;
+
+       if (ldap_start_tls_s(ldap, NULL, NULL) != LDAP_SUCCESS) {
+               php_error(E_WARNING,"LDAP:  Unable to start TLS: %s",ldap_err2string(_get_lderrno(ldap)));
+               RETURN_FALSE;
+       } else {
+               RETURN_TRUE;
+       }
+}
+/* }}} */
+#endif
 
 /* {{{ proto int ldap_bind(int link [, string dn, string password])
    Bind to LDAP directory */

--- ./ext/ldap/php_ldap.h.orig  Wed Sep 12 16:04:27 2001
+++ ./ext/ldap/php_ldap.h       Wed Sep 12 16:05:14 2001
@@ -39,6 +39,10 @@
 
 PHP_FUNCTION(ldap_connect);
 
+#if LDAP_API_VERSION > 2000
+PHP_FUNCTION(ldap_start_tls);
+#endif
+
 PHP_FUNCTION(ldap_bind);
 PHP_FUNCTION(ldap_unbind);


The usage should be obvious, it takes just one argument, the ldap connection handle. I'm using Openldap 2.0.7 with php and this function works great with it. I didn't test whether this patch breaks other ldap toolkits. One problem could be that I force the use of ldap-v3 so that should probably be an option somewhere (maybe an option to ldap_open or so).

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2001-09-16 06:16 UTC] venaas@php.net

We need the function, but we can't force v3, and we
can't use ldap_init() for everyone either.

The version can be forced by the user by doing
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
before using your function.

Can you check if your code works if you do no changes
except adding the function, and set the version like
I suggest above?

[2001-09-17 12:15 UTC] kuenne at rentec dot com

I tried to use ldap_open first, I believe, but it didn't 
work as far as I remember. The problem is that ldap_open 
already opens a connection and then you can't change the 
protocol anymore for obvious reasons. With ldap_init the 
connection is delayed until the first ldap operation so 
you can easily change the protocol to enforce V3.

Regarding the ldap_set_option function, I detected that 
later. I was just too lazy to change my php application 
again. I can try to use ldap_set_option in my php 
application but I'm afraid we'll need ldap_init.

[2001-10-09 17:24 UTC] venaas@php.net

I have now added only the ldap_start_tls() function
and it seems to work. To use it you must do something
like:

$ds=ldap_connect($host);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ds);
ldap_bind($ds, $dn, $pwd);

It is essential to use LDAPv3 and v2 is default.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed May 07 11:01:29 2025 UTC