Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.4

Request #7434 (patch) Enable start_tls support for LDAP container
Submitted: 2006-04-20 09:50 UTC Modified: 2006-12-16 08:29 UTC
From: php dot net at nanonanonano dot net Assigned: aashley
Status: Closed Package: Auth (version 1.3.0)
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  


 [2006-04-20 09:50 UTC] php dot net at nanonanonano dot net (Stuart Prescott)
Description: ------------ It would be nice to allow the user to use ldap (not ldaps) but using (as a user option) ldap_start_tls to ensure that the link is encrypted. Since ldaps is deprecated in favour of using start_tls [1], it is A Good Thing(TM) for the LDAP container to support start_tls as an option. [1] http://www.openldap.org/faq/index.cgi?file=605 The attached patch does two things: * give the programmer the ability to prompt the LDAP container to try START_TLS to encrypt the connection * document that for MS servers, "TLS_REQCERT never" needs to be specified in the openldap config file for any encrypted connection to work. (otherwise PHP hangs) I originally made this patch against LDAP.php in the v1.3.0r3 tarball and I sent it in at that stage but it never seemed to make it to the right people (and pear's bugzilla was down at the time). I've attached the regenerated patch to this bug report. START_TLS is enabled as follows: $a = new Auth("LDAP", array( 'url' => 'ldap://localhost/', 'version' => 3, 'start_tls' => true)); (of course, basedn etc should also be included. version 3 is required for start_tls.) let me know if you need anything more!

Comments

 [2006-04-20 09:52 UTC] php dot net at nanonanonano dot net
--- LDAP.php 2006-03-02 06:53:08.000000000 +0000 +++ LDAP.php-dist 2006-04-20 15:44:10.000000000 +0100 @@ -102,4 +102,6 @@ * group: the name of group to search for * groupscope: Scope for group searching: one, sub (default), or base + * start_tls: enable/disable the use of START_TLS encrypted connection + * (default: false) * debug: Enable/Disable debugging output (default: false) * @@ -177,4 +179,10 @@ * Example a3 shows a full blown and tested example for connection to * Windows 2000 Active Directory with group mebership checking + * Note also that if you want an encrypted connection to an MS LDAP + * server, then, on your webserver, you must specify + * TLS_REQCERT never + * in /etc/ldap/ldap.conf or in the webserver user's ~/.ldaprc (which + * may or may not be read depending on your configuration). + * * * @category Authentication @@ -258,4 +266,10 @@ $this->_debug("Switching to LDAP version {$this->options['version']}", __LINE__); @ldap_set_option($this->conn_id, LDAP_OPT_PROTOCOL_VERSION, $this->options['version']); + + // start TLS if available + if (isset($this->options['start_tls']) && $this->options['start_tls']) { + $this->_debug("Starting TLS session", __LINE__); + @ldap_start_tls($this->conn_id); + } } @@ -389,4 +403,5 @@ $this->options['memberattr'] = 'uniqueMember'; $this->options['memberisdn'] = true; + $this->options['start_tls'] = false; $this->options['debug'] = false; }
 [2006-04-20 19:02 UTC] aashley at php dot net (Adam Ashley)
Can you put the patch up on some web hosting somewhere and just provide a download link? The PEAR bug tracker wraps patches and it becomes a nightmare to clean them up and get them working again.
 [2006-04-23 12:56 UTC] php dot net at nanonanonano dot net
Sure... I was a bit surprised to see that there wasn't an "attach file" feature in this bug tracker, and I can see what you mean about the patch being butchered badly by the line wrapping. I've stuck the patch up on pastebin.com http://pastebin.com/677236 Let me know how you go with it.
 [2006-08-09 21:57 UTC] aashley at php dot net (Adam Ashley)
pastebin.com has expired the sample, could you post it again, or email it directly to me.
 [2006-08-09 23:07 UTC] aashley at php dot net (Adam Ashley)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. Sat down and looked closely at patch and it was relatively easy to clean up.