[Samba] php_ldap has race conditions

Jim C. jcllings at javahop.com
Fri Mar 12 00:51:07 GMT 2004

Hash: SHA1

I have high hopes for this product but last I checked, there was a major
flaw in php_ldap.  As a student, I remember having an online
disagreement with a professional developer. It went something like this:

His point was that one could use ldap_modify to safely modify entries in
an LDAP database. He made this point profusely for several weeks at the
end of which he was very much embarrassed and asked me to not make a
point of it publicly.  I agreed as I was out to prove my point not
eliminate  someone's job.

I had to point out that the modification commands for php_ldap were
prototyped all wrong if this were the case.  Basically put, if a command
cannot perform a search and modify all in one, then there is risk of two
~ or more writes from different sources occurring simultaneously.  One
should never assume that one has exclusive access to *any* database
unless they are willing to supply the means to ensure it, i.e. a lock.

I made this point by cutting and pasting the command prototypes from the
manual and showing that one could not 1. Acquire and 2. Modify an entry
in one command given those prototypes. You can't modify something if you
don't know what it is RIGHT NOW.

Now one *can* implement a semaphore and check it prior to access in php
but it won't mean anything to someone accessing via a program or perl
script etc.

The only way around this problem that I know of is to use php to call
the ldap client binarys, i.e. ldapadd, ldapmodify etc.  I'm suspicious
of them also, though.

Jim C.

P.S. I look forward to being wrong about this but a review of the docs
shows that I am probably not.  See below.

| ldap_modify() function is used to modify the existing entries in the
LDAP directory. The structure of the entry is same as in ldap_add().

OK, so:

| bool ldap_add ( resource link_identifier, string dn, array entry)

Where, according to the doc, 'resource link_identifier' is the
connection, 'string dn' is who to bind as and 'array entry' is the
modified data.  No ability to specify *what* to modify so we will have
to perform a separate action to retrieve this.  In the meantime the data
has been changed by another process, perhaps.

Allow me to further illustrate:

If Jon's email address is the old one update it to the new one.
This activity cannot be safely performed because using PHP you have to
implement it in a two step process creating a potential race condition.

perl_ldap is purported to be free of race conditions.

Andreas wrote:
| On Wed, Mar 10, 2004 at 07:33:46PM +0200, Graham Leggett wrote:
|>>Your not obligated to use smbldap-tools,  but I won't argue with you on
|>>that one.  I'm not a big fan.
|>Are there alternatives?
| Yes, more or less polished, for example:
| http://lam.sourceforge.net/

- --

- -----------------------------------------------------------------
| I can be reached on the following messenger services:		|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
- -----------------------------------------------------------------
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the samba mailing list