Bind options for ldap-config-manager
Current version of ldap-config-manager will always use EXTERNAL SASL bind to bind to the LDAP server, which works fine with a debian slapd with default configuration.
However, some people may have different configurations.
schema-ldap-manager and fusiondirectory-insert-schema (which share the code) were allowing a «--options» parameter which allowed passing options to the cli ldap tools, which were called by the perl code. We cannot do that anymore, since we are not calling these, but we should directly implement the same kind of options in our tool.
Here are the bind options for ldapsearch:
-x Use simple authentication instead of SASL.
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory. For SASL binds, the server is expected to ignore this value.
-W Prompt for simple authentication. This is used instead of specifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple authentication.
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an
exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN
must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
-h ldaphost
Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.
-p ldapport
Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
-P {2|3}
Specify the LDAP protocol version to use.
-O security-properties
Specify SASL security properties.
-I Enable SASL Interactive mode. Always prompt. Default is to prompt only as needed.
-Q Enable SASL Quiet mode. Never prompt.
-N Do not use reverse DNS to canonicalize SASL host name.
-U authcid
Specify the authentication ID for SASL bind. The form of the ID depends on the actual SASL mechanism used.
-R realm
Specify the realm of authentication ID for SASL bind. The form of the realm depends on the actual SASL mechanism used.
-X authzid
Specify the requested authorization ID for SASL bind. authzid must be one of the following formats: dn:<distinguished name> or u:<username>
-Y mech
Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
-Z[Z] Issue StartTLS (Transport Layer Security) extended operation. If you use -ZZ, the command will require the operation to be successful.
Here are the PHP options to bind methods:
function ldap_bind_ext($ldap, ?string $dn = null, ?string $password = null, ?array $controls = null) {}
function ldap_sasl_bind($ldap, ?string $dn = null, ?string $password = null, ?string $mech = null, ?string $realm = null, ?string $authc_id = null, ?string $authz_id = null, ?string $props = null): bool {}
So, we may add:
--ldapuri: URI to connect to, defaults to ldapi:///
--binddn: DN to bind with, default to none (external)
--bindpwd: password to bind with, defaults to none
--saslmech: Mech, defaults to EXTERNAL
--saslrealm:
--saslauthcid:
--saslauthzid:
--simplebind Disable SASL, use simple bind
@bmortier What do you think?