Difference between revisions of "PHP Extensions"

From stoney cloud
Jump to: navigation, search
[unchecked revision][unchecked revision]
(LDAP Session Control)
Line 55: Line 55:
 
== LDAP Session Control ==
 
== LDAP Session Control ==
  
[https://tools.ietf.org/html/rfc4511 RFC4511]
+
[https://tools.ietf.org/html/draft-wahl-ldap-session-03 draft-wahl-ldap-session-03]
  
 
The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.
 
The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.
Line 74: Line 74:
 
);
 
);
  
$ip = "127.0.0.1";
+
$sessionSourceIp = "192.168.1.10";
$
+
$sessionSourceName = "api.stoney-cloud.org";
 +
$sessionTrackingIdentifier = "tmueller"; // username
  
$control = ldap_control_session_tracking($link, "127.0.0.1", "localhost", LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, "testuser");
+
$control = ldap_control_session_tracking($link, $sessionSourceIp, $sessionSourceName, LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, $sessionTrackingIdentifier);
  
 
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)
 
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)
Line 85: Line 86:
  
 
<pre>
 
<pre>
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD dn="dc=my-domain,dc=com"
+
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD attr=objectClass dc o description
+
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] RESULT tag=103 err=0 text=
+
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] RESULT tag=103 err=0 text=
 
</pre>
 
</pre>
 +
  
 
[[Category:Documentation]]
 
[[Category:Documentation]]
 
[[Category:PHP]]
 
[[Category:PHP]]
 
[[Category:LDAP]]
 
[[Category:LDAP]]

Revision as of 20:29, 27 April 2014

Several extensions to the existing PHP LDAP API have been developed to make it more suitable to our needs.

Currently, the add/modify/replace/delete functions have been patched to accept additional parameters for server and client controls.

General examples

Single control: 

ldap_modify($link, $dn, $entry, $control);

Multiple controls: 

ldap_modify($link, $dn, $entry, [$control1, $control2]);

LDAP Assertion Control

RFC4528

To be able to safely change values, the Assertion Control is needed which results in a Compare-and-Set functionality.

Example (taken from ext/ldap/tests/ldap_control_assertion_basic.phpt): 

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
 
$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"          => "stoney-cloud",
    "o"           => "stoney-cloud",
    "description" => "stoney cloud root object",
);
 
ldap_modify($link, "dc=stoney-cloud,dc=org", $entry);
 
$assertion_string = "(description=stoney cloud root object)";
$control = ldap_control_assertion($link, $assertion_string);
 
// the following fails if the description has been changed in the meantime
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control);

This can be used to safely increment variables, reserve IP addresses without race conditions.

Given a field in the LDAP which contains the the next free id or IP address:

  • get the current value
  • increment the value
  • set the new value with the assert that the value must match the previously fetched one
  • if it succeeds you can safely use the previously set value, if not: repeat the procedure

LDAP Session Control

draft-wahl-ldap-session-03

The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.

The idea of this control is the possibility of tracking the queries made in the LDAP for a given session in the application: 

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
 
$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"        => "my-domain",
    "o"     => "my-domain",
    "description"   => "Domain description",
);
 
$sessionSourceIp = "192.168.1.10";
$sessionSourceName = "api.stoney-cloud.org";
$sessionTrackingIdentifier = "tmueller"; // username
 
$control = ldap_control_session_tracking($link, $sessionSourceIp, $sessionSourceName, LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, $sessionTrackingIdentifier);
 
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)

which results in the following log of the ldap (using loglevel stats): 

Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] RESULT tag=103 err=0 text=
Retrieved from "https://wiki.stoney-cloud.org/mediawiki/index.php?title=PHP_Extensions&oldid=3290"