PHP Extensions: Difference between revisions

From stoney-cloud.org
Jump to navigation Jump to search
No edit summary
Line 55: Line 55:
== LDAP Session Control ==
== LDAP Session Control ==


[https://tools.ietf.org/html/rfc4511 RFC4511]
[https://tools.ietf.org/html/draft-wahl-ldap-session-03 draft-wahl-ldap-session-03]


The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.
The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.
Line 74: Line 74:
);
);


$ip = "127.0.0.1";
$sessionSourceIp = "192.168.1.10";
$
$sessionSourceName = "api.stoney-cloud.org";
$sessionTrackingIdentifier = "tmueller"; // username


$control = ldap_control_session_tracking($link, "127.0.0.1", "localhost", LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, "testuser");
$control = ldap_control_session_tracking($link, $sessionSourceIp, $sessionSourceName, LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, $sessionTrackingIdentifier);


ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)
Line 85: Line 86:


<pre>
<pre>
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=127.0.0.1 NAME=localhost USERNAME=testuser] RESULT tag=103 err=0 text=
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] RESULT tag=103 err=0 text=
</pre>
</pre>


[[Category:Documentation]]
[[Category:Documentation]]
[[Category:PHP]]
[[Category:PHP]]
[[Category:LDAP]]
[[Category:LDAP]]

Revision as of 20:29, 27 April 2014

Several extensions to the existing PHP LDAP API have been developed to make it more suitable to our needs.

Currently, the add/modify/replace/delete functions have been patched to accept additional parameters for server and client controls.

General examples

Single control: 

ldap_modify($link, $dn, $entry, $control);

Multiple controls: 

ldap_modify($link, $dn, $entry, [$control1, $control2]);

LDAP Assertion Control

RFC4528

To be able to safely change values, the Assertion Control is needed which results in a Compare-and-Set functionality.

Example (taken from ext/ldap/tests/ldap_control_assertion_basic.phpt): 

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);

$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"          => "stoney-cloud",
    "o"           => "stoney-cloud",
    "description" => "stoney cloud root object",
);

ldap_modify($link, "dc=stoney-cloud,dc=org", $entry);

$assertion_string = "(description=stoney cloud root object)";
$control = ldap_control_assertion($link, $assertion_string);

// the following fails if the description has been changed in the meantime
ldap_modify($link, "dc=my-domain,dc=com", $entry, $control);

This can be used to safely increment variables, reserve IP addresses without race conditions.

Given a field in the LDAP which contains the the next free id or IP address:

  • get the current value
  • increment the value
  • set the new value with the assert that the value must match the previously fetched one
  • if it succeeds you can safely use the previously set value, if not: repeat the procedure

LDAP Session Control

draft-wahl-ldap-session-03

The implementation of the control creation is complete, but controls can currently only be passed to the add/modify/replace/delete functions.

The idea of this control is the possibility of tracking the queries made in the LDAP for a given session in the application: 

$link = ldap_connect_and_bind($host, $port, $user, $passwd, $protocol_version);

$entry = array(
    "objectClass"   => array(
        "top",
        "dcObject",
        "organization"),
    "dc"        => "my-domain",
    "o"     => "my-domain",
    "description"   => "Domain description",
);

$sessionSourceIp = "192.168.1.10";
$sessionSourceName = "api.stoney-cloud.org";
$sessionTrackingIdentifier = "tmueller"; // username

$control = ldap_control_session_tracking($link, $sessionSourceIp, $sessionSourceName, LDAP_CONTROL_X_SESSION_TRACKING_USERNAME, $sessionTrackingIdentifier);

ldap_modify($link, "dc=my-domain,dc=com", $entry, $control)

which results in the following log of the ldap (using loglevel stats): 

Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD dn="dc=my-domain,dc=com"
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] MOD attr=objectClass dc o description
Apr 25 14:59:32 testmachine slapd[4208]: conn=1014 op=5 [IP=192.168.1.10 NAME=api.stoney-cloud.org USERNAME=tmueller] RESULT tag=103 err=0 text=
Retrieved from "https://wiki.stoney-cloud.org/w/index.php?title=PHP_Extensions&oldid=3290"