PHP Extensions

From stoney cloud
Revision as of 20:23, 27 April 2014 by Tiziano (Talk | contribs)


Jump to: navigation, search

Several extensions to the existing PHP LDAP API have been developed to make it more suitable to our needs.

Currently, the add/modify/replace/delete functions have been patched to accept additional parameters for server and client controls.

General examples

Single control:

ldap_modify($link, $dn, $entry, $control);

Multiple controls:

ldap_modify($link, $dn, $entry, [$control1, $control2]);

LDAP Assertion Control

RFC4528

To be able to safely change values, the Assertion Control is needed which results in a Compare-and-Set functionality.

Example (taken from ext/ldap/tests/ldap_control_assertion_basic.phpt):

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
 
$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"          => "stoney-cloud",
    "o"           => "stoney-cloud",
    "description" => "stoney cloud root object",
);
 
ldap_modify($link, "dc=stoney-cloud,dc=org", $entry);
 
$assertion_string = "(description=stoney cloud root object)";
$control = ldap_control_assertion($link, $assertion_string);
 
// the following fails if the description has been changed in the meantime
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control);

This can be used to safely increment variables, reserve IP addresses without race conditions.

Given a field in the LDAP which contains the the next free id or IP address:

  • get the current value
  • increment the value
  • set the new value with the assert that the value must match the previously fetched one
  • if it succeeds you can safely use the previously set value, if not: repeat the procedure

LDAP Session Control

RFC4511

The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.

The idea of this control is the possibility of tracking the queries made in the LDAP for a given session in the application:

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);
 
$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"        => "my-domain",
    "o"     => "my-domain",
    "description"   => "Domain description",
);
 
$ip = "127.0.0.1";
$
 
$control = ldap_control_session_tracking($link, "127.0.0.1", "localhost", LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, "testuser");
 
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)

which results in the following log of the ldap (using loglevel stats):

Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] RESULT tag=103 err=0 text=