Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

RFC: Add support for LDAP assertions (rfc4528) #538

Closed
wants to merge 1 commit into from

1 participant

Tiziano Müller
Tiziano Müller

This is foremost a RFC since some precompiler checks/#ifdefs are missing to whether or not assertion control is available in the library at all.

Example usage of assertions:

$newdata['givenName'] = "Max";
$assertion = 'givenName=Moritz'; // change the givenName only if it is still Moritz

ldap_modify($ldapconn, $dn, $newdata, $assertion)
    or die("Could not modify $dn\n");

Now the questions:

Do we directly want the assertion to be specified as an argument (as implemented in this patch)? A more flexible option for the future would be to expose individual LDAP Controls (resp. the values, for example created using ldap_create_assertion_control_value) as resources (by creating wrappers for ldap_create_assertion_control_value for example) and allow to optionally pass arrays of such resources (or single resources) either as server or client controls to functions like ldap_modify.

This would then probably look something like this:

$servercontrols[] = ldap_create_assertion_control_value('foo=bar');
ldap_modify($ldapconn, $dn, $newdata, $servercontrols);

// or
$singlecontrol = ldap_create_assertion_control_value('foo=bar');
ldap_modify($ldapconn, $dn, $newdata, $singlecontrol);

// or in case there are only client controls
$someclientcontrols[] = ...;
ldap_modify($ldapconn, $dn, $newdata, [], $someclientcontrols);

LDAP Session Tracking Control is a good candidate for such a case since the corresponding RFC-Draft explicitly allows multiple controls to be added to a single request.

Tiziano Müller

yet another extension which could be implemented when exposing controls to php users: http://www.ietf.org/proceedings/55/I-D/draft-ietf-ldapext-ldapv3-vlv-09.txt

Tiziano Müller dev-zero Add support for LDAP assertions (rfc4528)
Add support for an optional argument for ldap_modify to use as assertion
for the modify command according to rfc4528.

Thanks to Stefan Kuhn for preliminary testing.
efe9664
Tiziano Müller

Pull request with a more general approach follows shortly

Tiziano Müller dev-zero closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 22, 2014
  1. Tiziano Müller

    Add support for LDAP assertions (rfc4528)

    dev-zero authored
    Add support for an optional argument for ldap_modify to use as assertion
    for the modify command according to rfc4528.
    
    Thanks to Stefan Kuhn for preliminary testing.
This page is out of date. Refresh to see the latest.
Showing with 32 additions and 6 deletions.
  1. +32 −6 ext/ldap/ldap.c
38 ext/ldap/ldap.c
View
@@ -1284,15 +1284,17 @@ static void php_ldap_do_modify(INTERNAL_FUNCTION_PARAMETERS, int oper)
{
zval *link, *entry, **value, **ivalue;
ldap_linkdata *ld;
- char *dn;
+ char *dn, *assertion;
LDAPMod **ldap_mods;
- int i, j, num_attribs, num_values, dn_len;
+ int i, j, num_attribs, num_values, dn_len, assertion_len;
int *num_berval;
char *attribute;
ulong index;
+ LDAPControl **ctrls;
+
int is_full_add=0; /* flag for full add operation so ldap_mod_add can be put back into oper, gerrit THomson */
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsa", &link, &dn, &dn_len, &entry) != SUCCESS) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsa|s", &link, &dn, &dn_len, &entry, &assertion, &assertion_len) != SUCCESS) {
return;
}
@@ -1369,19 +1371,38 @@ static void php_ldap_do_modify(INTERNAL_FUNCTION_PARAMETERS, int oper)
}
ldap_mods[num_attribs] = NULL;
+ if (assertion_len > 0) {
+ ctrls = safe_emalloc(2, sizeof(*ctrls), 0);
+ *ctrls = *(ctrls+1) = NULL;
+ char *assertion_berstr = ber_strdup(assertion);
+ i = ldap_create_assertion_control(ld->link, assertion_berstr, 0, ctrls);
+ ber_memfree(assertion_berstr);
+ if (i != LDAP_SUCCESS) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Assertion control creation: %s", ldap_err2string(i));
+ RETVAL_FALSE;
+ goto errexit;
+ }
+ } else {
+ ctrls = NULL;
+ }
+
/* check flag to see if do_mod was called to perform full add , gerrit thomson */
if (is_full_add == 1) {
- if ((i = ldap_add_s(ld->link, dn, ldap_mods)) != LDAP_SUCCESS) {
+ if ((i = ldap_add_ext_s(ld->link, dn, ldap_mods, ctrls, NULL)) != LDAP_SUCCESS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Add: %s", ldap_err2string(i));
RETVAL_FALSE;
} else RETVAL_TRUE;
} else {
- if ((i = ldap_modify_ext_s(ld->link, dn, ldap_mods, NULL, NULL)) != LDAP_SUCCESS) {
+ if ((i = ldap_modify_ext_s(ld->link, dn, ldap_mods, ctrls, NULL)) != LDAP_SUCCESS) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Modify: %s", ldap_err2string(i));
RETVAL_FALSE;
} else RETVAL_TRUE;
}
+ if (ctrls) {
+ efree(*ctrls);
+ }
+
errexit:
for (i = 0; i < num_attribs; i++) {
efree(ldap_mods[i]->mod_type);
@@ -1392,7 +1413,8 @@ static void php_ldap_do_modify(INTERNAL_FUNCTION_PARAMETERS, int oper)
efree(ldap_mods[i]);
}
efree(num_berval);
- efree(ldap_mods);
+ efree(ldap_mods);
+ efree(ctrls);
return;
}
@@ -2954,6 +2976,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_add, 0, 0, 3)
ZEND_ARG_INFO(0, link_identifier)
ZEND_ARG_INFO(0, dn)
ZEND_ARG_INFO(0, entry)
+ ZEND_ARG_INFO(0, assertion)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_delete, 0, 0, 2)
@@ -2977,18 +3000,21 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_mod_add, 0, 0, 3)
ZEND_ARG_INFO(0, link_identifier)
ZEND_ARG_INFO(0, dn)
ZEND_ARG_INFO(0, entry)
+ ZEND_ARG_INFO(0, assertion)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_mod_replace, 0, 0, 3)
ZEND_ARG_INFO(0, link_identifier)
ZEND_ARG_INFO(0, dn)
ZEND_ARG_INFO(0, entry)
+ ZEND_ARG_INFO(0, assertion)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_mod_del, 0, 0, 3)
ZEND_ARG_INFO(0, link_identifier)
ZEND_ARG_INFO(0, dn)
ZEND_ARG_INFO(0, entry)
+ ZEND_ARG_INFO(0, assertion)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_ldap_err2str, 0, 0, 1)
Something went wrong with that request. Please try again.