(PHP 4 >= 4.0.4, PHP 5, PHP 7, PHP 8)
ldap_set_option — Set the value of the given option
Sets the value of the specified option to be value.
ldap
Either an LDAP\Connection instance, returned by
ldap_connect() , to set the option for that connection,
or null to set the option globally.
option
The parameter option can be one of:
| Option | Type | Available since |
|---|---|---|
LDAP_OPT_DEREF |
int | |
LDAP_OPT_SIZELIMIT |
int | |
LDAP_OPT_TIMELIMIT |
int | |
LDAP_OPT_NETWORK_TIMEOUT |
int | |
LDAP_OPT_PROTOCOL_VERSION |
int | |
LDAP_OPT_ERROR_NUMBER |
int | |
LDAP_OPT_REFERRALS |
bool | |
LDAP_OPT_RESTART |
bool | |
LDAP_OPT_HOST_NAME |
string | |
LDAP_OPT_ERROR_STRING |
string | |
LDAP_OPT_DIAGNOSTIC_MESSAGE |
string | |
LDAP_OPT_MATCHED_DN |
string | |
LDAP_OPT_SERVER_CONTROLS |
array | |
LDAP_OPT_CLIENT_CONTROLS |
array | |
LDAP_OPT_X_KEEPALIVE_IDLE |
int | PHP 7.1.0 |
LDAP_OPT_X_KEEPALIVE_PROBES |
int | PHP 7.1.0 |
LDAP_OPT_X_KEEPALIVE_INTERVAL |
int | PHP 7.1.0 |
LDAP_OPT_X_TLS_CACERTDIR |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_CACERTFILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_CERTFILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_CIPHER_SUITE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_CRLCHECK |
int | PHP 7.1.0 |
LDAP_OPT_X_TLS_CRLFILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_DHFILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_KEYFILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_PROTOCOL_MIN |
int | PHP 7.1.0 |
LDAP_OPT_X_TLS_RANDOM_FILE |
string | PHP 7.1.0 |
LDAP_OPT_X_TLS_REQUIRE_CERT |
int | PHP 7.0.5 |
LDAP_OPT_SERVER_CONTROLS and
LDAP_OPT_CLIENT_CONTROLS require a list of
controls, this means that the value must be an array of controls. A
control consists of an oid identifying the control,
an optional value, and an optional flag for
criticality. In PHP a control is given by an
array containing an element with the key oid
and string value, and two optional elements. The optional
elements are key value with string value
and key iscritical with boolean value.
iscritical defaults to false
if not supplied. See » draft-ietf-ldapext-ldap-c-api-xx.txt
for details. See also the second example below.
Note:
All TLS options must be set globally before ldap_connect() for ldaps connection or for the connection before ldap_start_tls() .
value
The new value for the specified option.
| Version | Description |
|---|---|
| 8.1.0 |
The ldap parameter expects an LDAP\Connection
instance now; previously, a valid ldap link resource was expected.
|
Example #1 Set protocol version
<?php
// $ds is a valid LDAP\Connection instance for a directory server
if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
echo "Using LDAPv3";
} else {
echo "Failed to set protocol version to 3";
}
?>Example #2 Set server controls
<?php
// $ds is a valid LDAP\Connection instance for a directory server
// control with no value
$ctrl1 = array("oid" => "1.2.752.58.10.1", "iscritical" => true);
// iscritical defaults to FALSE
$ctrl2 = array("oid" => "1.2.752.58.1.10", "value" => "magic");
// try to set both controls
if (!ldap_set_option($ds, LDAP_OPT_SERVER_CONTROLS, array($ctrl1, $ctrl2))) {
echo "Failed to set server controls";
}
?>Note:
This function is only available when using OpenLDAP 2.x.x OR Netscape Directory SDK x.x.
As john.hallam@compaq.com above mentioned ,one has to set option LDAP_OPT_PROTOCOL_VERSION=3
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
to use the ldap_rename function.
However, the ldap_set_option() line has to be written immediately after ldap_connect() and before ldap_bind() statements.
Christos SouliosIf you want to disable the TLS cert check (e.g. because you are doing an SSH port-forward, and ldaps is pointing to localhost), then you must invoke:
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,0)
*before* calling ldap_connect()
If you try:
$ds = ldap_connect(...)
ldap_set_option($ds, LDAP_OPT_X_TLS_REQUIRE_CERT,0)
then the option won't actually take effect, and the certificate will be checked anyway, and a TLS failure will happen..Luckily you can turn on debugging before you open a connection:
ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
This way you at least can see in the logs if the connection fails...The following flags are valid integer values for the LDAP_OPT_DEREF (as taken from the documentation for ldap_read()):
LDAP_DEREF_NEVER (int 0) - (default) aliases are never dereferenced.
LDAP_DEREF_SEARCHING (int 1) - aliases should be dereferenced during the search but not when locating the base object of the search.
LDAP_DEREF_FINDING (int 2) - aliases should be dereferenced when locating the base object but not during the search.
LDAP_DEREF_ALWAYS (int 3) - aliases should be dereferenced always.
Example:
<?php
ldap_set_option($ds, LDAP_OPT_DEREF, LDAP_DEREF_ALWAYS);
?>
These are defined in the draft C API (presumably from the original LDAP API). See draft-ietf-ldapext-ldap-c-api-xx.txt included in the OpenLDAP source code distribution.PHP 7.1 added support for configuring the LDAP CA/Cert environment directly, rather than relying on the environment variables. I noticed that a lot of people are having trouble getting this to work.
The correct way is:
$ds=ldap_connect("ldap.google.com");
ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/path/file.crt");
ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/path/file.key");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_start_tls($ds);
...
ldap_close($ds);I have the following code, but you do not rename the cn, that may be?
$TheDN = "cn=Nombre,ou=Addressbook,dc=axia-ldap,dc=net";
$newRDN = "cn=bill";
$newParent = "ou=Addressbook,dc=axia-ldap,dc=net";
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$result = ldap_rename($ds, $TheDN, $newRDN, $newParent, TRUE);To get this to work I had to set the LDAP version to 3 using ldap_set_option. Here is an example that might help:
$TheDN = "cn=john smith,ou=users,dc=acme,dc=com";
$newRDN = "cn=bill brown";
$newParent = "ou=users,dc=acme,dc=com";
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
@$result = ldap_rename($ds, $TheDN, $newRDN, $newParent, TRUE);it seems that ldap_set_option returns 1 for bogus ldap_connect -ions also.
ldap_connect always returns a resource (documented in the
comments of ldap_connect) so it is not possible to check if the
ldap server is there or alive or what. and because ldap_set_option
must be between ldap_connect and ldap_bind, there seems to
be no sense in checking the return value.
it is a bit strange that ldap_bind is the first function which can
really check if a ldap resource is usable because it is the third
function in line to use when working with openldap.
<?php
$connect = ldap_connect("whatever");
$set = ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
echo $set;
?>