ID: 50915 Updated by: j...@php.net Reported By: strube at physik3 dot gwdg dot de Status: Open -Bug Type: LDAP related +Bug Type: Feature/Change Request Operating System: Solaris 10 PHP Version: 5.2.12 New Comment:
Moved to correct place. ext/ldap works best with OpenLDAP anyway but of course we can add one more implementation in the future. If someone has time. And access to such machine to test this.. :) Previous Comments: ------------------------------------------------------------------------ [2010-02-15 15:15:16] strube at physik3 dot gwdg dot de Oops, this was not a problem of my patch, I simply forgot to copy the certificate files to the PHP_PREFIX/ssl of my 5.3.1 test installation! At least LAM and PLA work just as with 5.2.12. "trunk" will take some time, I cannot do this now. ------------------------------------------------------------------------ [2010-02-15 14:58:06] strube at physik3 dot gwdg dot de First test show that there are indeed issues with PHP 5.3.1. I found that neither LAM nor PLA work with SLL, using ldaps://server or server:636 (but do work without SSL); an error in the call ldapssl_client_init is indicated, although that part of ldap.c patched by me is identical for 5.2.12 and 5.3.1 (however, the line numbers of the second patch hunk must be @@ -330,6 +334,42 @@ for 5.3.1, contrary to my previous statements). As we are not be able to upgrade to 5.3.x in the near future because of compatibility issues with our PHP applications, I am sorry I cannot invest time do extensive tests presently. ------------------------------------------------------------------------ [2010-02-15 12:33:50] paj...@php.net hi, Thanks for your work so far. It is important to understand that 5.2.x is in Maintenance mode. We don't accept features addition there. 5.3.x accepts only minors and well tested features additions. trunk is the development tree. Can you provide a patch against the PHP_5_3 branch and trunk please? And please test 5.3/trunk as well instead of 5.2 only. ------------------------------------------------------------------------ [2010-02-15 11:42:46] strube at physik3 dot gwdg dot de Well, I prefer our own servers over pastebin.com and put my patch in ftp://ftp.physik3.gwdg.de/pub/HWS/php_ldap_solaris.patch (also visible as http://www.physik3.gwdg.de/~strube/soft/php_ldap_solaris.patch) which will exist at least for a year, probably much longer. More details: The line numbers are correct for recent versions of PHP 5.2.x and 5.3.x; for 4.4.9, patching works with offset (-1 and -38 lines). Execution has only been tested with php 5.2.x (x = 12 and slightly less), especially with LAM (http://www.ldap-account-manager.org/) and PLA (http://phpldapadmin.sourceforge.net/), both with and without SSL. SASL has not been tested (so far I have not got it working even without PHP). The first hunk of the patch is required for building at all, the second one, to allow ldap[s] URLs and to use SSL. Note on SSL usage: this is independent of PHP's configure option --with-openssl, since the Solaris libldap.so is linked with the (Mozilla-type) SSL libraries from /usr/lib/mps/ (from Solaris 10 on; in Solaris 9, ldapssl_client_init is a dummy function). The LDAP server's CA certificate (or chain) has to be put into PHP_PREFIX/ssl/ (you may change this path in my patch) in the Mozilla-like form of cert8.db, key3.db, secmod.db (tools [e.g., certutil] in /usr/sfw/bin/, docs in http://www.mozilla.org/projects/security/pki/nss/tools/). ------------------------------------------------------------------------ [2010-02-12 17:39:01] j...@php.net Ever heard of pastebin.com ? Try that. ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/50915 -- Edit this bug report at http://bugs.php.net/?id=50915&edit=1
