ldap_set_option

(PHP 4 >= 4.0.4, PHP 5, PHP 7, PHP 8)

ldap_set_optionSet the value of the given option

Description

ldap_set_option(?LDAP\Connection $ldap, int $option, array|string|int|bool $value): bool

Sets the value of the specified option to be value.

Parameters

ldap

Either an LDAP\Connection instance, returned by ldap_connect(), to set the option for that connection, or null to set the option globally.

option

The parameter option can be one of:

Option Type Available since
LDAP_OPT_DEREF int  
LDAP_OPT_SIZELIMIT int  
LDAP_OPT_TIMELIMIT int  
LDAP_OPT_NETWORK_TIMEOUT int  
LDAP_OPT_PROTOCOL_VERSION int  
LDAP_OPT_ERROR_NUMBER int  
LDAP_OPT_REFERRALS bool  
LDAP_OPT_RESTART bool  
LDAP_OPT_HOST_NAME string  
LDAP_OPT_ERROR_STRING string  
LDAP_OPT_DIAGNOSTIC_MESSAGE string  
LDAP_OPT_MATCHED_DN string  
LDAP_OPT_SERVER_CONTROLS array  
LDAP_OPT_CLIENT_CONTROLS array  
LDAP_OPT_X_KEEPALIVE_IDLE int PHP 7.1.0
LDAP_OPT_X_KEEPALIVE_PROBES int PHP 7.1.0
LDAP_OPT_X_KEEPALIVE_INTERVAL int PHP 7.1.0
LDAP_OPT_X_TLS_CACERTDIR string PHP 7.1.0
LDAP_OPT_X_TLS_CACERTFILE string PHP 7.1.0
LDAP_OPT_X_TLS_CERTFILE string PHP 7.1.0
LDAP_OPT_X_TLS_CIPHER_SUITE string PHP 7.1.0
LDAP_OPT_X_TLS_CRLCHECK int PHP 7.1.0
LDAP_OPT_X_TLS_CRLFILE string PHP 7.1.0
LDAP_OPT_X_TLS_DHFILE string PHP 7.1.0
LDAP_OPT_X_TLS_KEYFILE string PHP 7.1.0
LDAP_OPT_X_TLS_PROTOCOL_MIN int PHP 7.1.0
LDAP_OPT_X_TLS_RANDOM_FILE string PHP 7.1.0
LDAP_OPT_X_TLS_REQUIRE_CERT int PHP 7.0.5

LDAP_OPT_SERVER_CONTROLS and LDAP_OPT_CLIENT_CONTROLS require a list of controls, this means that the value must be an array of controls. A control consists of an oid identifying the control, an optional value, and an optional flag for criticality. In PHP a control is given by an array containing an element with the key oid and string value, and two optional elements. The optional elements are key value with string value and key iscritical with boolean value. iscritical defaults to false if not supplied. See » draft-ietf-ldapext-ldap-c-api-xx.txt for details. See also the second example below.

value

The new value for the specified option.

Return Values

Returns true on success or false on failure.

Changelog

Version Description
8.1.0 The ldap parameter expects an LDAP\Connection instance now; previously, a valid ldap link resource was expected.

Examples

Example #1 Set protocol version

<?php
// $ds is a valid LDAP\Connection instance for a directory server
if (ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3)) {
echo
"Using LDAPv3";
} else {
echo
"Failed to set protocol version to 3";
}
?>

Example #2 Set server controls

<?php
// $ds is a valid LDAP\Connection instance for a directory server
// control with no value
$ctrl1 = array("oid" => "1.2.752.58.10.1", "iscritical" => true);
// iscritical defaults to FALSE
$ctrl2 = array("oid" => "1.2.752.58.1.10", "value" => "magic");
// try to set both controls
if (!ldap_set_option($ds, LDAP_OPT_SERVER_CONTROLS, array($ctrl1, $ctrl2))) {
echo
"Failed to set server controls";
}
?>

Notes

Note:

This function is only available when using OpenLDAP 2.x.x OR Netscape Directory SDK x.x.

See Also

add a note

User Contributed Notes 9 notes

up
8
soulbros at yahoo dot com
22 years ago
As [email protected] above mentioned ,one has to set option LDAP_OPT_PROTOCOL_VERSION=3
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
to use the ldap_rename function.

However, the ldap_set_option() line has to be written immediately after ldap_connect() and before ldap_bind() statements.

Christos Soulios
up
6
hansfn at gmail dot com
18 years ago
Luckily you can turn on debugging before you open a connection:

ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);

This way you at least can see in the logs if the connection fails...
up
2
php at richardneill dot org
2 years ago
If you want to disable the TLS cert check (e.g. because you are doing an SSH port-forward, and ldaps is pointing to localhost), then you must invoke:

ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT,0)
*before* calling ldap_connect()

If you try:

$ds = ldap_connect(...)
ldap_set_option($ds, LDAP_OPT_X_TLS_REQUIRE_CERT,0)

then the option won't actually take effect, and the certificate will be checked anyway, and a TLS failure will happen..
up
2
technosophos
17 years ago
The following flags are valid integer values for the LDAP_OPT_DEREF (as taken from the documentation for ldap_read()):

LDAP_DEREF_NEVER (int 0) - (default) aliases are never dereferenced.

LDAP_DEREF_SEARCHING (int 1) - aliases should be dereferenced during the search but not when locating the base object of the search.

LDAP_DEREF_FINDING (int 2) - aliases should be dereferenced when locating the base object but not during the search.

LDAP_DEREF_ALWAYS (int 3) - aliases should be dereferenced always.

Example:
<?php
ldap_set_option
($ds, LDAP_OPT_DEREF, LDAP_DEREF_ALWAYS);
?>

These are defined in the draft C API (presumably from the original LDAP API). See draft-ietf-ldapext-ldap-c-api-xx.txt included in the OpenLDAP source code distribution.
up
0
Maarten at Aerobe
4 years ago
PHP 7.1 added support for configuring the LDAP CA/Cert environment directly, rather than relying on the environment variables. I noticed that a lot of people are having trouble getting this to work.

The correct way is:
$ds=ldap_connect("ldap.google.com");
ldap_set_option(NULL, LDAP_OPT_X_TLS_CERTFILE, "/path/file.crt");
ldap_set_option(NULL, LDAP_OPT_X_TLS_KEYFILE, "/path/file.key");
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
ldap_start_tls($ds);
...
ldap_close($ds);
up
0
badbo_5834 at hotmail dot com
10 years ago
I have the following code, but you do not rename the cn, that may be?

$TheDN = "cn=Nombre,ou=Addressbook,dc=axia-ldap,dc=net";
$newRDN = "cn=bill";
$newParent = "ou=Addressbook,dc=axia-ldap,dc=net";
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
$result = ldap_rename($ds, $TheDN, $newRDN, $newParent, TRUE);
up
0
john dot hallam at compaq dot com
22 years ago
To get this to work I had to set the LDAP version to 3 using ldap_set_option. Here is an example that might help:

$TheDN = "cn=john smith,ou=users,dc=acme,dc=com";
$newRDN = "cn=bill brown";
$newParent = "ou=users,dc=acme,dc=com";
ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3);
@$result = ldap_rename($ds, $TheDN, $newRDN, $newParent, TRUE);
up
-2
minusf at gmail dot com
18 years ago
it seems that ldap_set_option returns 1 for bogus ldap_connect -ions also.
ldap_connect always returns a resource (documented in the
comments of ldap_connect) so it is not possible to check if the
ldap server is there or alive or what. and because ldap_set_option
must be between ldap_connect and ldap_bind, there seems to
be no sense in checking the return value.

it is a bit strange that ldap_bind is the first function which can
really check if a ldap resource is usable because it is the third
function in line to use when working with openldap.

<?php
$connect
= ldap_connect("whatever");
$set = ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
echo
$set;
?>
To Top