Skip to content

LDAP - Added support to change the certificates verification #1765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

LDAP - Added support to change the certificates verification #1765

wants to merge 1 commit into from

Conversation

EdwinHoksberg
Copy link
Contributor

This commit adds a few new constants to use with ldap_set_option() and ldap_get_option().
The new constants will allow you to specify the certificate check LDAP does of an incoming TLS session, but now on runtime. Normally this option can only be changed in the ldap.conf file.

More info: http://www.openldap.org/lists/openldap-software/200202/msg00456.html

@MCMic
Copy link
Contributor

MCMic commented Feb 29, 2016

Hello, can you explain in which usecase it’s useful override the options from ldap.conf in PHP code? It fills a bit weird to me, but if it’s supported by openldap lib I guess there must be a usecase.
Also, as a php-ldap user, how do you feel about this proposition: https://bugs.php.net/bug.php?id=70131

@ChadSikorra
Copy link
Contributor

Just interested in seeing this option for LDAP in PHP so I might as well add my 2 cents/usecase...

I maintain a LDAP library that abstracts away lots of ldap_* functions (https://github.com/ldaptools/ldaptools), and a common misconfiguration for SSL/TLS is the certificate setup. Being able to pass these options in without having to modify a system config file, used potentially by much more than PHP, is quite useful for troubleshooting and general use.

More confusingly, on Windows when using LDAP with PHP you have to know that in order to change these settings you first have to create the configuration file here: C:\OpenLDAP\sysconf\ldap.conf (hard coded due to the way it's built I suppose). Being able to set these options in the PHP code seems far more intuitive.

Also (not that this makes it right...) the Python LDAP module exposes these options already as well: https://www.python-ldap.org/doc/html/ldap.html#options

@EdwinHoksberg
Copy link
Contributor Author

@MCMic My motivation for this pull request is basically everything what @ChadSikorra wrote.

I was struggling with getting LDAP to work with an self signed SSL certificate because of the unclear documentation. I also found a lot of people having trouble with it on Stackoverflow.

This option is trival to implement but will be very useful for anyone using LDAP.

As for the bug report, I don't think it is a good idea to just let you use any value. My idea would be to just declare all exported constants in ldap.h, so it will easier to understand and use.
I think python also uses this approach.

@MCMic
Copy link
Contributor

MCMic commented Mar 1, 2016

Ok, thanks for your explanations, the PR is merged in PHP-7.0 and master.
I will reject mentionned bug report as well.

Do not hesitate to submit other PR on PHP-LDAP, this extension sure needs some love.

@MCMic
Copy link
Contributor

MCMic commented Mar 1, 2016

I don’t have permission to close this PR, if someone with enough permission see this please close it.

@laruence laruence closed this Mar 1, 2016
@laruence
Copy link
Member

laruence commented Mar 1, 2016

close per @MCMic request

@ChadSikorra ChadSikorra mentioned this pull request Jun 16, 2016
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@EdwinHoksberg @MCMic @ChadSikorra @laruence