From 2ba64e93f9f7a152cc32e3e9fb79eaee88bb8d9d Mon Sep 17 00:00:00 2001 From: FreddleSpl0it Date: Fri, 8 Mar 2024 13:50:20 +0100 Subject: [PATCH] [Web] allow SSL / TLS connections for LDAP --- data/web/inc/functions.inc.php | 43 ++++++++++++++++--- data/web/lang/lang.en-gb.json | 3 ++ .../admin/tab-config-identity-provider.twig | 24 +++++++++++ 3 files changed, 63 insertions(+), 7 deletions(-) diff --git a/data/web/inc/functions.inc.php b/data/web/inc/functions.inc.php index 6571e0179..274589972 100644 --- a/data/web/inc/functions.inc.php +++ b/data/web/inc/functions.inc.php @@ -2120,10 +2120,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $stmt->execute(); $rows = $stmt->fetchAll(PDO::FETCH_ASSOC); foreach($rows as $row){ - if ($row["key"] == 'mappers' || $row["key"] == 'templates'){ - $settings[$row["key"]] = json_decode($row["value"]); - } else { - $settings[$row["key"]] = $row["value"]; + switch ($row["key"]) { + case "mappers": + case "templates": + $settings[$row["key"]] = json_decode($row["value"]); + break; + case "use_ssl": + case "use_tls": + case "ignore_ssl_errors": + $settings[$row["key"]] = boolval($row["value"]); + break; + default: + $settings[$row["key"]] = $row["value"]; + break; } } // return default client_scopes for generic-oidc if none is set @@ -2207,9 +2216,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { $_data['filter'] = (!empty($_data['filter'])) ? $_data['filter'] : ""; $_data['periodic_sync'] = isset($_data['periodic_sync']) ? intval($_data['periodic_sync']) : 0; $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; + $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; + $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; + $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; - $required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval'); + $required_settings = array('authsource', 'host', 'port', 'basedn', 'username_field', 'filter', 'attribute_field', 'binddn', 'bindpass', 'periodic_sync', 'import_users', 'sync_interval', 'use_ssl', 'use_tls', 'ignore_ssl_error'); break; } @@ -2306,12 +2318,22 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { !$_data['binddn'] || !$_data['bindpass']){ return false; } + $_data['use_ssl'] = isset($_data['use_ssl']) ? boolval($_data['use_ssl']) : false; + $_data['use_tls'] = isset($_data['use_tls']) && !$_data['use_ssl'] ? boolval($_data['use_tls']) : false; + $_data['ignore_ssl_error'] = isset($_data['ignore_ssl_error']) ? boolval($_data['ignore_ssl_error']) : false; + $options = array(); + if ($_data['ignore_ssl_error']) { + $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER"; + } $provider = new \LdapRecord\Connection([ 'hosts' => [$_data['host']], 'port' => $_data['port'], 'base_dn' => $_data['basedn'], 'username' => $_data['binddn'], - 'password' => $_data['bindpass'] + 'password' => $_data['bindpass'], + 'use_ssl' => $_data['use_ssl'], + 'use_tls' => $_data['use_tls'], + 'options' => $options ]); try { $provider->connect(); @@ -2395,12 +2417,19 @@ function identity_provider($_action = null, $_data = null, $_extra = null) { case "ldap": if ($iam_settings['host'] && $iam_settings['port'] && $iam_settings['basedn'] && $iam_settings['binddn'] && $iam_settings['bindpass']){ + $options = array(); + if ($iam_settings['ignore_ssl_error']) { + $options['LDAP_OPT_X_TLS_REQUIRE_CERT'] = "LDAP_OPT_X_TLS_NEVER"; + } $provider = new \LdapRecord\Connection([ 'hosts' => [$iam_settings['host']], 'port' => $iam_settings['port'], 'base_dn' => $iam_settings['basedn'], 'username' => $iam_settings['binddn'], - 'password' => $iam_settings['bindpass'] + 'password' => $iam_settings['bindpass'], + 'use_ssl' => $iam_settings['use_ssl'], + 'use_tls' => $iam_settings['use_tls'], + 'options' => $options ]); try { $provider->connect(); diff --git a/data/web/lang/lang.en-gb.json b/data/web/lang/lang.en-gb.json index 0a0622739..705908028 100644 --- a/data/web/lang/lang.en-gb.json +++ b/data/web/lang/lang.en-gb.json @@ -240,7 +240,10 @@ "iam_userinfo_url": "User info endpoint", "iam_username_field": "Username Field", "iam_binddn": "Bind DN", + "iam_use_ssl": "Use SSL", + "iam_use_tls": "Use TLS", "iam_version": "Version", + "ignore_ssl_error": "Ignore SSL Errors", "import": "Import", "import_private_key": "Import private key", "in_use_by": "In use by", diff --git a/data/web/templates/admin/tab-config-identity-provider.twig b/data/web/templates/admin/tab-config-identity-provider.twig index 5f002c056..e5103d970 100644 --- a/data/web/templates/admin/tab-config-identity-provider.twig +++ b/data/web/templates/admin/tab-config-identity-provider.twig @@ -302,6 +302,30 @@ +
+ +
+
+ +
+
+
+
+ +
+
+ +
+
+
+
+ +
+
+ +
+
+