Deprecate ldap_connect with two parameters

[heiglandreas]

ldap_connect should be called with an LDAP-URI as parameter and not with 2 parameters as that allows much more flexibility like differentiating between ldap and ldaps or setting multiple ldap-servers.

This change requires one to add null as second parameter in case the underlying library is Oracle and one wants to add wallet-details.

[kocsismate]

Do you plan to put this to vote? Maybe It would be worth to add this one to Nikita's list of deprecations for PHP 8.

[heiglandreas]

This is implementing the deprecation of the feature that is already marked as deprecated in the documentation since 22nd of April 2019 (https://git.php.net/?p=doc/en.git;a=commit;h=9f34a7ecf58a79efb4586dff4c21c24195479506), so there should be no vote necessary.

It should already be on the list of deprecated features for PHP7.4 ;-)

This could also go into the next PHP7.4 release. Currently there are no plans to remove the possibility to use the two parameters with PHP8.

[kocsismate]

Oh, that's cool then 😊

[heiglandreas]

Looks like the failing tests are not related to the changes in this PR.

[heiglandreas]

@derickr Any chance that we can get this change also into PHP7.4? If so, please advise what I need to do. THX

[derickr]

We shouldn't deprecate anything in x.y.x releases, so your next possibility is 8.0.0.

[nikic]

Would be good to mentioned this on internals maybe? Unless there already has been some discussion about it?

[cmb69]

AIUI, ldap_connect() called with host and port always uses plain LDAP, so for secure LDAP you already need to pass in an URI. I don't think removing support for passing host/port would be a huge BC break in practice.

[heiglandreas]

I wouldn't want to remove it (calling ldap_connect with host and port) completely at this point in time as there is some more stuff to it (There are i.e. more parameters that you can use when using OracleLdap as the underlying library) and you can use ldap_start_tls to initiate a secure connection after using ldap_connect with host and port.

This PR is only about marking the usage of ldap_connect with 2 parameters as deprecated (as it is already marked in the documentation) so that people can readily adapt their code so that we can then probably remove that "feature" in PHP9

[ramsey]

@heiglandreas, please rebase this to resolve the conflicts.

What's the status of this PR? It clearly didn't make it into 8.0.0. Can we target 8.2.0 with it?

[heiglandreas]

Rebased. Broken tests seem to be unrelated to the changes.

From my side it can go in whenever it suits. Rather sooner than later!

[cmb69]

It is okay to introduce a deprecation in a minor version, so this looks good for PHP 8.2.

[devnexen]

would it be reasonable to rebase and retrigger the CI ?

[cmb69]

would it be reasonable to rebase and retrigger the CI ?

I just did that.

[cmb69]

Thank you! I'm very much in favor of deprecating this, since I don't like those soft deprecations because they are so easy to overlook.

There are some minor issues to be resolved, though.

@kocsismate, regarding the docs: apparently the Oracle specific signature is no longer in the docs? Should we bring it back, or did we already discuss this?

[kocsismate]

regarding the docs: apparently the Oracle specific signature is no longer in the docs? Should we bring it back, or did we already discuss this?

Hmm, I'm not sure if it was ever there. I vaguely checked the git history, and I couldn't see the oracle specific signature.

IMO it would be better to unify the two signatures into one (with UNKNOWN default params) so that at least the signature is platform-independent.

[cmb69]

Hmm, I'm not sure if it was ever there. I vaguely checked the git history, and I couldn't see the oracle specific signature.

Oh, right. I've just re-read a 2018 email discussion with @heiglandreas, and given that that signature is only relevant to a small minority of users, and likely confusing for the rest, we didn't document it. And there had even been thoughts about deprecating/removing that Oracle LDAP support, but that might raise issues for Solaris users, so nothing was done.

[heiglandreas]

Has this been formally been deprecated via an RFC or should we add this to the 8.3 list?

This is the code-side implementation of what is documented since 2019. We should get this into the 8.x branch so that we actually can remove the second parameter in the next major release.

[Girgias]

Has this been formally been deprecated via an RFC or should we add this to the 8.3 list?

This is the code-side implementation of what is documented since 2019. We should get this into the 8.x branch so that we actually can remove the second parameter in the next major release.

Sadly, stuff being documented as deprecated doesn't mean it is "formally" deprecated by our current process. We have a couple of other thing like that which didn't get yeeted in 8.0.

[heiglandreas]

It has indeed not yet been discussed on internals.

As currently the code internally since at least 2015 converts a host and a port into an LDAP-URI marking usage of host AND port as deprecated in the docs seemed logically. Adding a deprecation feedback for users would be the only reasonable thing to at one point make people aware that they should modify their code.

php-src/ext/ldap/ldap.c

Lines 957 to 967 in f56dc76

	if (url && !ldap_is_ldap_url(url)) {
	size_t urllen = hostlen + sizeof( "ldap://:65535" );
	if (port <= 0 || port > 65535) {
	zend_argument_value_error(2, "must be between 1 and 65535");
	RETURN_THROWS();
	}
	url = emalloc(urllen);
	snprintf( url, urllen, "ldap://%s:" ZEND_LONG_FMT, host, port );
	}

The changes in 2015 were btw done to no longer make use of the deprecated underlying C-functions.

I remember that at one point the consensus of the few people involved in it, was that an internals email or even an RFC would not be necessary as the impact isn't that huge as not a lot of people are using the feature and those that do can fix that easily usually in one or two lines of code as ldap_connect($host, $port); becomes ldap_connect("ldap://$host:$port?:369");

But I'll start a discussion on internals now to make sure the process is followed.

[heiglandreas]

https://externals.io/message/119425

[Girgias]

Is this ready to ship @heiglandreas ?

Moreover, did we not deprecate the 5 param signature at the same time? The RFC seems to state that only the 2 param version is deprecated.

[heiglandreas]

Moreover, did we not deprecate the 5 param signature at the same time? The RFC seems to state that only the 2 param version is deprecated.

The 5 param signature is a separate RFC.

[Girgias]

Moreover, did we not deprecate the 5 param signature at the same time? The RFC seems to state that only the 2 param version is deprecated.

The 5 param signature is a separate RFC.

As in, it was already done, or needs to be done?

[heiglandreas]

As in, it was already done, or needs to be done?

There's no Patch referenced in the Deprecate function with overloaded signatures RFC - So it looks like that still needs to be done.

As there are multiple ldap_ functions addressed in that RFC I'd say having a separate PR makes sense...

[heiglandreas]

From my side this should be ready to go!

[heiglandreas]

A dammit! Tests fail due to the removed dot.... 🙈

[TimWolla]

@heiglandreas Please also have a look at the pending review comments by cmb, especially with regard to the EXTENSIONS section.

[Girgias]

As in, it was already done, or needs to be done?

There's no Patch referenced in the Deprecate function with overloaded signatures RFC - So it looks like that still needs to be done.

As there are multiple ldap_ functions addressed in that RFC I'd say having a separate PR makes sense...

Right, it's in that RFC. Oki Doki

[heiglandreas]

Anything else I can do to get this merged?

[iluuu1994]

LGTM. It's a bit unfortuante that the 5 argument version has no deprecation / migration path. This means we'll need to keep the code for ports even in the next major when 2 arguments are completely removed.

[heiglandreas]

LGTM. It's a bit unfortuante that the 5 argument version has no deprecation / migration path. This means we'll need to keep the code for ports even in the next major when 2 arguments are completely removed.

Erm... IIRC the migration path is to completely remove the oracle stuff from ldap_connect in PHP9.

This RFC proposes to add a new function as a replacement for the 2nd signature (when PHP is compiled with OracleLDAP) in PHP 8.3, and deprecate calling ldap_connect() with 3 or more arguments in PHP 8.4. Finally, the deprecated signature would become unsupported in PHP 9.0, resulting in the following functions:

function ldap_connect(?string $uri = null, int $port = 389): LDAP\Connection|false {}
function ldap_connect_wallet(?string $uri, string $wallet, string $password, int $auth_mode): LDAP\Connection|false {}

To me that means that in PHP9 calling ldap_connect with more than 1 parameter or ldap_connect_wallet with more than 4 parameters is not an option.

So in essence:

PHP8.3:

• ldap_connect with 2 parameters => deprecation
• new function ldap_connect_wallet as declared above, no port, only URI
• ldap_connect with 3 or more parameters => redirected to ldap_connect_wallet

PHP8.4:

• ldap_connect with 3 or more parameters => deprecation (call ldap_connect_wallet instead)

PHP9:

• remove stuff for IP and port as well as for Oracle from ldap_connect entirely.

Or did I miss something?

[iluuu1994]

@heiglandreas Heh, I only looked at the deprecate RFC, not https://wiki.php.net/rfc/deprecate_functions_with_overloaded_signatures. That's fine then!

[TimWolla]

Should NEWS / UPGRADING be updated?

[Girgias]

Should NEWS / UPGRADING be updated?

Yes it actually should >-> I forgot

[TimWolla]

I've now added it.

@heiglandreas Can you please check that this commit looks good to you: c2cc1db?

[TimWolla]

Also updated the Wiki: https://wiki.php.net/rfc/deprecations_php_8_3?do=diff&rev2%5B0%5D=1688725272&rev2%5B1%5D=1689089809&difftype=sidebyside