Skip to content

Commit

Permalink
feat: support cert and key for LDAPS
Browse files Browse the repository at this point in the history
  • Loading branch information
@flegastelois
flegastelois committed Mar 5, 2021
1 parent b6007a2 commit 9d78c95
Show file tree
Hide file tree
Showing 3 changed files with 72 additions and 14 deletions.
3 changes: 2 additions & 1 deletion .gitignore
View file
Expand Up @@ -35,4 +35,5 @@ phpunit.xml
.package.hash
/public/build/
/public/lib/
/tests/web/error.log
/tests/web/error.log
/config/ldap/*
5 changes: 4 additions & 1 deletion inc/auth.class.php
View file
Expand Up @@ -760,7 +760,10 @@ function login($login_name, $login_password, $noauto = false, $remember_me = fal
$ldap_method["rootdn"],
Toolbox::sodiumDecrypt($ldap_method["rootdn_passwd"]),
$ldap_method["use_tls"],
$ldap_method["deref_option"]);
$ldap_method["deref_option"],
$ldap_method["tls_certfile"],
$ldap_method["tls_certkey"],
$ldap_method["use_bind"]);

if ($ds) {
$ldapservers_status = true;
Expand Down
78 changes: 66 additions & 12 deletions inc/authldap.class.php
View file
Expand Up @@ -396,6 +396,11 @@ function showForm($ID, $options = []) {
$this->fields["rootdn"]."\">";
echo "</td></tr>";

echo "<tr class='tab_bg_1'><td><label for='use_bind'>" . __('Use Bind') . "</label></td>";
echo "<td colspan='3'>";
Dropdown::showYesNo('use_bind', $this->fields["use_bind"]);
echo "</td></tr>";

echo "<tr class='tab_bg_1'><td><label for='rootdn_passwd'>" .
__('Password (for non-anonymous binds)') . "</label></td>";
echo "<td><input type='password' id='rootdn_passwd' name='rootdn_passwd' value='' autocomplete='new-password'>";
Expand Down Expand Up @@ -532,6 +537,15 @@ function showFormAdvancedConfig() {
Html::autocompletionTextField($this, "inventory_domain", ['size' => 100]);
echo "</td></tr>";

echo "<tr class='tab_bg_1'>";
echo "<td>" . __('TLS Certfile') . "</td><td>";
echo "<input type='text' name='tls_certfile' id='tls_certfile' value='".$this->fields["tls_certfile"]."'>";
echo "</td>";
echo "<td>" . __('TLS Keyfile') . "</td><td>";
echo "<input type='text' name='tls_keyfile' id='tls_keyfile' value='".$this->fields["tls_keyfile"]."'>";
echo "</td>";
echo "</tr>";

echo "<tr class='tab_bg_2'><td class='center' colspan='4'>";
echo "<input type='submit' name='update' class='submit' value=\"".__s('Save')."\">";
echo $hidden;
Expand Down Expand Up @@ -1459,7 +1473,10 @@ static function testLDAPConnection($auths_id, $replicate_id = -1) {
$ds = self::connectToServer($host, $port, $config_ldap->fields['rootdn'],
Toolbox::sodiumDecrypt($config_ldap->fields['rootdn_passwd']),
$config_ldap->fields['use_tls'],
$config_ldap->fields['deref_option']);
$config_ldap->fields['deref_option'],
$config_ldap->fields['tls_certfile'],
$config_ldap->fields['tls_keyfile'],
$config_ldap->fields['use_bind']);
if ($ds) {
return true;
}
Expand Down Expand Up @@ -2615,7 +2632,10 @@ function connect() {
$this->fields['rootdn'],
Toolbox::sodiumDecrypt($this->fields['rootdn_passwd']),
$this->fields['use_tls'],
$this->fields['deref_option']);
$this->fields['deref_option'],
$this->fields['tls_certfile'],
$this->fields['tls_keyfile'],
$this->fields['use_bind']);
}


Expand All @@ -2628,28 +2648,47 @@ function connect() {
* @param string $password password to use (default '')
* @param boolean $use_tls use a TLS connection? (false by default)
* @param integer $deref_options deref options used
* @param string $tls_certfile TLS CERT file name within config directory (default '')
* @param string $tls_keyfile TLS KEY file name within config directory (default '')
* @param boolean $use_bind do we need to do an ldap_bind? (true by default)
*
* @return resource link to the LDAP server : false if connection failed
*/
static function connectToServer($host, $port, $login = "", $password = "",
$use_tls = false, $deref_options = 0) {
$use_tls = false, $deref_options = 0,
$tls_certfile = "", $tls_keyfile = "",
$use_bind = true) {

$ds = @ldap_connect($host, intval($port));
if ($ds) {
@ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
@ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);
@ldap_set_option($ds, LDAP_OPT_DEREF, $deref_options);

if (file_exists(GLPI_CONFIG_DIR . '/ldap/' . $tls_certfile)) {
@ldap_set_option(null, LDAP_OPT_X_TLS_CERTFILE, GLPI_CONFIG_DIR . '/ldap/' . $tls_certfile);
}

if (GLPI_CONFIG_DIR . '/ldap/' . $tls_keyfile) {
@ldap_set_option(null, LDAP_OPT_X_TLS_KEYFILE, GLPI_CONFIG_DIR . '/ldap/' . $tls_keyfile);
}

if ($use_tls) {
if (!@ldap_start_tls($ds)) {
return false;
}
}
// Auth bind
if ($login != '') {
$b = @ldap_bind($ds, $login, $password);
} else { // Anonymous bind
$b = @ldap_bind($ds);
if ($use_bind) {
if ($login != '') {
$b = @ldap_bind($ds, $login, $password);
} else { // Anonymous bind
$b = @ldap_bind($ds);
}
} else {
$b = true;
}

if ($b) {
return $ds;
}
Expand All @@ -2675,14 +2714,20 @@ static function tryToConnectToServer($ldap_method, $login, $password) {
$ds = self::connectToServer($ldap_method['host'], $ldap_method['port'],
$ldap_method['rootdn'],
Toolbox::sodiumDecrypt($ldap_method['rootdn_passwd']),
$ldap_method['use_tls'], $ldap_method['deref_option']);
$ldap_method['use_tls'], $ldap_method['deref_option'],
$ldap_method['tls_certfile'],
$ldap_method['tls_keyfile'],
$ldap_method['use_bind']);

// Test with login and password of the user if exists
if (!$ds
&& !empty($login)) {
$ds = self::connectToServer($ldap_method['host'], $ldap_method['port'], $login,
$password, $ldap_method['use_tls'],
$ldap_method['deref_option']);
$ldap_method['deref_option'],
$ldap_method['tls_certfile'],
$ldap_method['tls_keyfile'],
$ldap_method['use_bind']);
}

//If connection is not successful on this directory, try replicates (if replicates exists)
Expand All @@ -2692,14 +2737,20 @@ static function tryToConnectToServer($ldap_method, $login, $password) {
$ds = self::connectToServer($replicate["host"], $replicate["port"],
$ldap_method['rootdn'],
Toolbox::sodiumDecrypt($ldap_method['rootdn_passwd']),
$ldap_method['use_tls'], $ldap_method['deref_option']);
$ldap_method['use_tls'], $ldap_method['deref_option'],
$ldap_method['tls_certfile'],
$ldap_method['tls_keyfile'],
$ldap_method['use_bind']);

// Test with login and password of the user
if (!$ds
&& !empty($login)) {
$ds = self::connectToServer($replicate["host"], $replicate["port"], $login,
$password, $ldap_method['use_tls'],
$ldap_method['deref_option']);
$ldap_method['deref_option'],
$ldap_method['tls_certfile'],
$ldap_method['tls_keyfile'],
$ldap_method['use_bind']);
}
if ($ds) {
return $ds;
Expand Down Expand Up @@ -3447,7 +3498,10 @@ static function searchUser(AuthLDAP $authldap) {
$authldap->getField('rootdn'),
Toolbox::sodiumDecrypt($authldap->getField('rootdn_passwd')),
$authldap->getField('use_tls'),
$authldap->getField('deref_option'))) {
$authldap->getField('deref_option'),
$authldap->getField('tls_certfile'),
$authldap->getField('tls_keyfile'),
$authldap->getField('use_bind'))) {
self::showLdapUsers();

} else {
Expand Down

0 comments on commit 9d78c95

Please sign in to comment.