Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support cert and key for LDAPS #8748

Merged
merged 6 commits into from Mar 19, 2021
Merged

feat: support cert and key for LDAPS #8748

merged 6 commits into from Mar 19, 2021

Conversation

flegastelois
Copy link
Member

Q A
Bug fix? yes and no
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets NA

Need 3 new column in "glpi_authldap":

ALTER TABLE `glpi_authldaps`
   ADD COLUMN `tls_certfile` VARCHAR(255) NULL DEFAULT NULL COLLATE 'utf8_unicode_ci',
   ADD COLUMN `tls_keyfile` VARCHAR(255) NULL DEFAULT NULL COLLATE 'utf8_unicode_ci',
   ADD COLUMN `use_bind` TINYINT(1) NOT NULL DEFAULT '1';

These changes allow the LDAP authentication / import / directory synchronization to work with secure servers that require a certificate and a private key for connection: this explains the two added option fields (tls_certfile, tls_keyfile).

Although they are called "tls_", you must not enable TLS for the connection to work, which is why I have not conditioned their addition (ldap_set_option) to the boolean "use_tls".

Google Workspace for example:
https://support.google.com/a/answer/9190869?hl=en&ref_topic=9048334#zippy=%2Cldapsearch

LDAPTLS_CERT={crt_file} LDAPTLS_KEY={key_file} ldapsearch -H ldaps://ldap.google.com:636 -b dc={domain},dc={domain} '(mail={user_email})'

In the case of using a certificate and its private key, "ldap_bind" must not be used, this explains the added option.

I can give you production ready "certificate / key" files to add in "GLPI_CONFIG_DIR/ldap/" directory.

@flegastelois
Copy link
Member Author

Should be interesting, to have a "Google Workspace" pre-configured schema (like "AD" or "Default") when we create a new ldap authentification server.

https://support.google.com/a/answer/9188164?hl=en&ref_topic=9048334

  • Server: ldaps://ldap.google.com
  • Port: 636
  • ConnectionFilter: (objectClass=person)
  • Use bind: no
  • Login field: mail
  • Synchronization fiel : entryuuid
  • Use TLS: no

@trasher trasher changed the base branch from 9.5/bugfixes to master March 18, 2021 09:09
@trasher trasher changed the title [WIP] feat: support cert and key for LDAPS feat: support cert and key for LDAPS Mar 19, 2021
@trasher trasher removed the wip label Mar 19, 2021
cedric-anne
cedric-anne reviewed Mar 19, 2021
View reviewed changes
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
inc/authldap.class.php Show resolved Hide resolved
@cedric-anne cedric-anne added this to the Next major version milestone Mar 19, 2021
cedric-anne
cedric-anne reviewed Mar 19, 2021
View reviewed changes
inc/authldap.class.php Outdated Show resolved Hide resolved
@trasher trasher merged commit 532065e into glpi-project:master Mar 19, 2021
@flegastelois flegastelois mentioned this pull request Dec 24, 2021
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cedric-anne cedric-anne cedric-anne approved these changes

@orthagh orthagh orthagh approved these changes

Assignees
No one assigned
Labels
enhancement major feature
Projects
None yet
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@flegastelois @orthagh @cedric-anne @trasher