php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #13278 enhancement for ldap_start_tls function
Submitted: 2001-09-12 22:00 UTC Modified: 2001-10-09 17:24 UTC
From: kuenne at rentec dot com Assigned: venaas (profile)
Status: Closed Package: LDAP related
PHP Version: 4.0.6 OS: Solaris 7
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
6 + 30 = ?
Subscribe to this entry?

 
 [2001-09-12 22:00 UTC] kuenne at rentec dot com
I would like to have my ldap connections encrypted so I added the function ldap_start_tls to the ldap module. Following is the diff:

--- ./ext/ldap/ldap.c.orig      Wed Sep 12 15:53:24 2001
+++ ./ext/ldap/ldap.c   Wed Sep 12 16:03:00 2001
@@ -69,6 +69,9 @@
        PHP_FE(ldap_connect,
NULL)
        PHP_FALIAS(ldap_close,          ldap_unbind,            NULL)
        PHP_FE(ldap_bind,
        NULL)
+#if LDAP_API_VERSION > 2000
+       PHP_FE(ldap_start_tls,
        NULL)
+#endif
        PHP_FE(ldap_unbind,
        NULL)
        PHP_FE(ldap_read,
        NULL)
        PHP_FE(ldap_list,
        NULL)
@@ -385,12 +388,22 @@
        } else
 #endif
        {
-               ldap = ldap_open(host,port);
+               ldap = ldap_init(host,port);
        }

        if ( ldap == NULL ) {
                RETURN_FALSE;
        } else {
+#if LDAP_API_VERSION > 2000
+               int version = LDAP_VERSION3;
+               int rc;
+
+               rc = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, &version);
+               if (rc != LDAP_OPT_SUCCESS) {
+                       php_error(E_WARNING, "Could not set protocol version 3 (%d): %s\n", rc, ldap_err2string(rc));
+                       RETURN_FALSE;
+               }
+#endif
 #ifdef HAVE_ORALDAP
                if (ssl) {
                        if (ldap_init_SSL(&ldap->ld_sb, wallet, walletpasswd,
@@ -510,6 +523,31 @@
 }
 #endif

+
+#if LDAP_API_VERSION > 2000
+/* {{{ proto int ldap_start_tls(int link)
+   Start TLS */
+PHP_FUNCTION(ldap_start_tls)
+{
+       pval **link;
+       LDAP *ldap;
+
+       if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &link) == FAILURE) {
+               WRONG_PARAM_COUNT;
+       }
+
+       ldap = _get_ldap_link(link);
+       if (ldap == NULL) RETURN_FALSE;
+
+       if (ldap_start_tls_s(ldap, NULL, NULL) != LDAP_SUCCESS) {
+               php_error(E_WARNING,"LDAP:  Unable to start TLS: %s",ldap_err2string(_get_lderrno(ldap)));
+               RETURN_FALSE;
+       } else {
+               RETURN_TRUE;
+       }
+}
+/* }}} */
+#endif
 
 /* {{{ proto int ldap_bind(int link [, string dn, string password])
    Bind to LDAP directory */

--- ./ext/ldap/php_ldap.h.orig  Wed Sep 12 16:04:27 2001
+++ ./ext/ldap/php_ldap.h       Wed Sep 12 16:05:14 2001
@@ -39,6 +39,10 @@
 
 PHP_FUNCTION(ldap_connect);
 
+#if LDAP_API_VERSION > 2000
+PHP_FUNCTION(ldap_start_tls);
+#endif
+
 PHP_FUNCTION(ldap_bind);
 PHP_FUNCTION(ldap_unbind);


The usage should be obvious, it takes just one argument, the ldap connection handle. I'm using Openldap 2.0.7 with php and this function works great with it. I didn't test whether this patch breaks other ldap toolkits. One problem could be that I force the use of ldap-v3 so that should probably be an option somewhere (maybe an option to ldap_open or so).

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-09-16 06:16 UTC] venaas@php.net
We need the function, but we can't force v3, and we
can't use ldap_init() for everyone either.

The version can be forced by the user by doing
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
before using your function.

Can you check if your code works if you do no changes
except adding the function, and set the version like
I suggest above?
 [2001-09-17 12:15 UTC] kuenne at rentec dot com
I tried to use ldap_open first, I believe, but it didn't 
work as far as I remember. The problem is that ldap_open 
already opens a connection and then you can't change the 
protocol anymore for obvious reasons. With ldap_init the 
connection is delayed until the first ldap operation so 
you can easily change the protocol to enforce V3.

Regarding the ldap_set_option function, I detected that 
later. I was just too lazy to change my php application 
again. I can try to use ldap_set_option in my php 
application but I'm afraid we'll need ldap_init.

 [2001-10-09 17:24 UTC] venaas@php.net
I have now added only the ldap_start_tls() function
and it seems to work. To use it you must do something
like:

$ds=ldap_connect($host);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_start_tls($ds);
ldap_bind($ds, $dn, $pwd);

It is essential to use LDAPv3 and v2 is default.

 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 05:05:53 2022 UTC