-
-
Notifications
You must be signed in to change notification settings - Fork 558
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LDAP: Cleanup unused parameters #1329
Conversation
Signed-off-by: Silvio Gissi <silvio@gissilabs.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- Documentation is missing how leantime is supposed to login into LDAP
- How was this unused?!
- how does lean time now login to ldap to check user credentials?..
Hi @b90g, good point about documentation, I noticed that in #1319. LDAP is listed as "Beta" in the documentation. Once Marcel and team considers it stable, I'll be happy to propose a PR for the docs. The unused parameters ended up like that as LDAP implementation changed over time:
The idea behind the cleanup was exactly to avoid luring users into setting things that have no effect. Please let me know if you caught any issues as a result of the clean-up and I will propose a fix. |
Thanks for the quick reply. I see. My understanding of LDAP is very little and i was relying on the concept of a bind authentication user to much. (nextcloud, zammad, wekan..) I will try to understand the config where in the user authenticates against ldap directly. |
No worries, I spent quite some time in the code to figure them out. The only call to ldap_bind comes from the LDAP Service class, in the bind function. The two places that I have found calls the LDAP Service bind function are:
I hope I didn't miss anything in the search! |
UTC+1 and tired: I notice the default ldap client config requires valid certificates. Maybe an option to override the invalid certificate would help? not sure if this applies |
That is a great catch @b90g. Actually the way we use ldap_connect is passing host and port, that ends up with only unencrypted connections and is deprecated. The correct way is to pass the URL (ldap://host:port or ldaps://host:port). Besides that, if you are using a self-signed certificate, you will have to point to a copy of the public CA file (https://www.php.net/manual/en/ldap.constants.php#constant.ldap-opt-x-tls-cacertfile). Do you mind opening a new issue to track that feature request? This PR is closed and will not have the right visibility. |
Removes LDAP parameters from configuration that are unused and could mislead users.
Signed-off-by: Silvio Gissi silvio@gissilabs.com